It is as straight forward as I outlined above, except you have to percent encode some of the information - here’s how to do it:
Create an App at https://dev.twitter.com/apps, (as I am just getting tweets from the command line, the Website field isn’t relevant so I just entered http://www.google.co.uk) and in the “Details” tab click on “Create my access token” and then go to the “OAuth tool” tab of your application and enter Request URL and query, so for https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=twitterapi you would just enter URL “https://api.twitter.com/1.1/statuses/user_timeline.json” and query “screen_name=twitterapi” and click on "See OAuth signature for this request"
This gives an example of the Signature base string and the cURL command and the cURL command would work, but only for a limited time as it contains a timestamp, but if you replace the timestamp and nonce, then you can reuse the Signature base string.
The oauth_timestamp is just the number of seconds since the Unix epoch for which you can use "date +%s"
The oauth_nonce is any unique alphanumeric string, so I base64 encoded the timestamp+HH:MM:SS+Nanoseconds and stripped out +, = and / as follows:
date +%s%T%N | openssl base64 | sed -e s’/[+=/]//g’
So if you generate the timestamp and nonce then you can reuse the “Signature base string” and the “Signature base string” is used to create the oauth_signature as follows using openssl:
echo -n $sig_base_string | openssl dgst -sha1 -hmac key -binary | openssl base64 | sed -e s’/+/%2B/’ -e s’///%2F/’ -e s’/=/%3D/'
The key is the Consumer secret, followed by an ampersand character ‘&’, followed by the Access token secret where both secrets must be percent encoded which basically means replacing any non-alphanumeric keys with %hexcode. The resulting signature also has to be percent encoded and as this is base64 encoded, I know the only non-alphanumeric keys that could be present are +, =, / so the “sed” replaces them with %hexcode.
So then you just run the example curl code replacingyour generated oauth_nonce, oauth_signature and oauth_timestamp
Below is an example script of just 5 lines where I have used a parameter for screen_name so you can use this script for screen names other than “twitterapi”:
screen_name=twitterapi
timestamp=date +%s
nonce=date +%s%T%N | openssl base64 | sed -e s'/[+=/]//g'
signature=echo -n 'GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fuser_timeline.json&oauth_consumer_key%3DQ4hmbd34xSSymdZNPLVzpA%26oauth_nonce%3D'$nonce'%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D'$timestamp'%26oauth_token%3D204448593-GHvNZ5FqMETOgH3QVV3M1AZElzyGNXsaGiq2TXRE%26oauth_version%3D1.0%26screen_name%3D'$screen_name | openssl dgst -sha1 -hmac 'xzuHvl9PkWlbOqUotjXLxf7nsKfPQKiI2skwCNAy0&JHwxCOYDaI4jCdALc9938Lu7piqaNodjByubQhFY' -binary | openssl base64 | sed -e s'/+/%2B/' -e s'/\//%2F/' -e s'/=/%3D/'
curl --get ‘https://api.twitter.com/1.1/statuses/user_timeline.json’ --data “screen_name=$screen_name” --header ‘Authorization: OAuth oauth_consumer_key=“Q4hmbd34xSSymdZNPLVzpA”, oauth_nonce="’$nonce’", oauth_signature="’$signature’", oauth_signature_method=“HMAC-SHA1”, oauth_timestamp="’$timestamp’", oauth_token=“204448593-GHvNZ5FqMETOgH3QVV3M1AZElzyGNXsaGiq2TXRE”, oauth_version=“1.0”’ --verbose
I’ll probably improve this code by using parameters for keys, but it works.
One thing to note is that I used:
https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=twitterapi
rather than
https://api.twitter.com/1/statuses/user_timeline.rss?screen_name=twitterapi
which is used in the opening post as the whole point of using oauth is that you won’t be able to use Twitter API version 1 from March and you will have to use 1.1 and this does not support rss format, so I now need to parse the json format which looks more difficult than rss format.
The App details for the above code example are (I have now deleted App so the keys are no longer valid for the above code):
Consumer key Q4hmbd34xSSymdZNPLVzpA
Consumer secret xzuHvl9PkWlbOqUotjXLxf7nsKfPQKiI2skwCNAy0
Access token 204448593-GHvNZ5FqMETOgH3QVV3M1AZElzyGNXsaGiq2TXRE
Access token secret JHwxCOYDaI4jCdALc9938Lu7piqaNodjByubQhFY
Access level Read-only
The Signature base string and cURL command generated by OAuth tool were:
Signature base string
GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fuser_timeline.json&oauth_consumer_key%3DQ4hmbd34xSSymdZNPLVzpA%26oauth_nonce%3D63e82bd2a63c4d7a2ff6a265ec1c3bfe%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1359414714%26oauth_token%3D204448593-GHvNZ5FqMETOgH3QVV3M1AZElzyGNXsaGiq2TXRE%26oauth_version%3D1.0%26screen_name%3Dtwitterapi
cURL command
curl --get ‘https://api.twitter.com/1.1/statuses/user_timeline.json’ --data ‘screen_name=twitterapi’ --header ‘Authorization: OAuth oauth_consumer_key=“Q4hmbd34xSSymdZNPLVzpA”, oauth_nonce=“63e82bd2a63c4d7a2ff6a265ec1c3bfe”, oauth_signature=“Fg5ZMBKu%2Ff6j8VT3pwJgIxFq%2BA4%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1359414714”, oauth_token=“204448593-GHvNZ5FqMETOgH3QVV3M1AZElzyGNXsaGiq2TXRE”, oauth_version=“1.0”’ --verbose
Mike
