[wp-hackers] Twitter API and Authentication

John Bloch jbloch at olympianetworks.com
Tue May 11 14:07:15 UTC 2010 

From http://dev.twitter.com/pages/xauth

xAuth provides a way for desktop and mobile applications to exchange a username and password for an OAuth access token. Once the access token is retrieved, xAuth-enabled developers should dispose of the login and password corresponding to the user.
xAuth access is restricted to approved applications. If your application is a desktop or mobile application and the standard web OAuth flow or PIN-code out-of-band flow is not right for you, send a detailed message to api at twitter.com to request xAuth privileges. Include the name of your application, the consumer key, the application ID (if available), and a summary of how xAuth is best-suited for your application.
It looks like WP plugins like Twitter Tools, etc. would best be served by xAuth, since it's still authenticated by username and password, but is also still oAuth compatible. It's a bit more of a hassle for the developer, but it sounds like it would be much more user friendly for the actual users of the application.

-John P. Bloch

On May 11, 2010, at 9:43 AM, Marko Heijnen wrote:

> That is true. For oAuth you need the API keys. It is less user-friendly but the effort for users is bigger.
> As user I always hated the Basic Authentication because of entering an password to an site.
> Requesting the API Keys is 5 minutes work and with some instructions every user can do it.
> 
> What some plugins do is creating an shell (service) what connects to for example twitter.
> In the plugin you will put the username and password for connection to that service.
> The service will push your message to twitter.
> 
> 
> Op 11 mei 2010, om 15:32 heeft Lew Ayotte - Full Throttle Development het volgende geschreven:
> 
>> Is this still true?
>> 
>> If you're distributing your plugin for WordPress, you would want to ensure
>>> that it doesn't contain any OAuth consumer keys (API keys) or secrets
>>> within
>>> the source code. You'd instruct implementors to come to
>>> http://dev.twitter.com/apps<http://www.google.com/url?sa=D&q=http://dev.twitter.com/apps&usg=AFQjCNFzM1pM66_-v39mdHLco9PcbeOW8w>to create an application and give them a UI or
>>> configuration file to enter their consumer key and consumer secret in a
>>> safe
>>> place resistant to tampering.
>>> 
>> 
>> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/21bc0536e9bf0eab/20600060538f7075?lnk=gst&q=plugin#20600060538f7075
>> 
>> It seems like that is the antithesis of user-friendly and would seem like
>> the opposite of what Twitter would want. I currently have over 13,000
>> downloads for my Twitter Post plugin. Many of those are updates, so let's
>> assume that 1/16 of those are legit users. Twitter really wants over 800 app
>> requests for the same app? And I'm not the only one with a Twitter Plugin
>> that allows you to post to twitter -- Twitter Tools has over 500,000
>> downloads.
>> 
>> Lew
>> 
>> Lew Ayotte
>> Full Throttle Development, LLC
>> 706.363.0688
>> 478.246.4627
>> lew at fullthrottledevelopment.com
>> http://fullthrottledevelopment.com
>> http://twitter.com/full_throttle
>> http://twitter.com/lewayotte
>> 
>> 
>> On Tue, May 11, 2010 at 8:53 AM, Lew Ayotte - Full Throttle Development <
>> lew at fullthrottledevelopment.com> wrote:
>> 
>>> Well, thanks for the heads up... but this is going to be a pain the rear.
>>> 
>>> Now I guess I'll start incorporating oAuth into my plugin.
>>> 
>>> Lew Ayotte
>>> Full Throttle Development, LLC
>>> 706.363.0688
>>> 478.246.4627
>>> lew at fullthrottledevelopment.com
>>> http://fullthrottledevelopment.com
>>> http://twitter.com/full_throttle
>>> http://twitter.com/lewayotte
>>> 
>>> 
>>> 
>>> On Mon, May 10, 2010 at 7:20 PM, Matt Harris <themattharris at twitter.com>wrote:
>>> 
>>>> Hey Hackers,
>>>> 
>>>> Some of you may already know me through WordCamps, Barcamps and various
>>>> conferences but for those of you who don't, my name is Matt Harris and
>>>> I've
>>>> just joined Twitter as a Developer Advocate.
>>>> 
>>>> I'm emailing this list to reach those of you who either write plugins that
>>>> use Twitter, or develop websites for which a Twitter widget is used.
>>>> 
>>>> On the 30th June the Twitter REST API will stop supporting Basic
>>>> Authentication and instead switch to OAuth. This means
>>>> * all user authenticated requests to the API must be OAuth signed,
>>>> preferably using OAuth headers.
>>>> * calls not requiring authentication should ensure they do not send auth
>>>> headers of any kind as doing so will return an error
>>>> * basic auth will cease to function on the REST API
>>>> * the streaming API will still support basic auth but this is likely to
>>>> change later in the year
>>>> * the search API does not require auth so is not part of this project
>>>> * the public RSS/ATOM feeds do not require auth so are not part of this
>>>> project
>>>> 
>>>> So, if you have WordPress sites that publish to Twitter please check they
>>>> are using OAuth and not Basic Authentication.
>>>> If you are a plugin developer, please update your plugin to use OAuth and
>>>> remove and Basic Authentication code.
>>>> If you're plugin just consumes RSS/Atom feeds from Twitter you will be
>>>> unaffected by this change.
>>>> 
>>>> Information about OAuth and community code libraries can be found on
>>>> http://dev.twitter.com or, if you have any questions please ask in the
>>>> Twitter
>>>> development talk Google group:
>>>> http://groups.google.<
>>>> http://groups.google.com/group/twitter-development-talk>
>>>> com/group/twitter-development-<
>>>> http://groups.google.com/group/twitter-development-talk>
>>>> talk <http://groups.google.com/group/twitter-development-talk>. You can
>>>> also
>>>> find me on Twitter as @themattharris or at various events including Google
>>>> IO later this month.
>>>> 
>>>> Best,
>>>> Matt Harris
>>>> Developer Advocate, Twitter
>>>> http://twitter.com/themattharris
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> 
>>> 
>>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list