Discussion around the release of application-only authentication

140dev · 2013-03-13T15:30:04.000Z

And thanks for not hyping all the great new things coming later for application-only auth. We both know that hyping futures is not good. Getting application-only auth in place is enough for now.

I just hope some PHP libraries adopt it soon. Please nudge Matt Harris to update his library. I’ve built an entire book of examples based on it, and I now need to add application-only auth into the mix.

stevewsop · 2013-03-13T23:43:02.000Z

If I’m not mistaken, the update to 1.1 makes a few things impossible.

Specifically: hits to /statuses/show or /statuses/oembed from people who are not Twitter users.

If I’m using client side javascript, and I want app-level OAuth, then basically my secret token has to be readable (e.g. in my javascript!) – making client side javascript not an option.

In my case, I write a browser extension that (amongst other things) detects twitter links and lets you expand them inline within the page to see the details. The users of my extension may well not have twitter accounts, let alone be logged in.

It would seem that this means I cannot service these users any longer. Is that the case?

episod · 2013-03-14T14:41:14.000Z

Check out [node:13439] for a method of making API requests to many API v1.1 methods without a direct user context.

episod · 2013-03-14T14:43:21.000Z

I think you’re reading too far in between the lines. It’s an important feature of the platform, and anyone who is spending time working with Twitter should know about it. For instructional purposes, I would just frame it as using the right tool for the job. If there’s something that your application needs to do of its own accord, app-only auth is probably the right tool for the job.

vladimirsazhin · 2013-03-14T15:46:00.000Z

The POST request to https://api.twitter.com/oauth2/token returns a 404 error.

episod · 2013-03-14T15:50:10.000Z

This is a temporary issue that will soon be resolved.

stevewsop · 2013-03-14T17:07:33.000Z

I did check that out, and I specifically mentioned it. My concern is that it’s client side javascript and the application only auth requires a secret token – which I can’t obscure from my users / the source code of my app since it’s a browser extension and therefore client side code…

Is that my only option? Am I perhaps misunderstanding the implications?

IamatFran · 2013-03-14T21:11:49.000Z

It would be nice to be able to generate this token as we generate my access token for the oauth tool and use the oauth tool to create snippets to try this out.

episod · 2013-03-15T17:11:09.000Z

I think you understand the implications pretty well.

Your options in this scenario are:

a) to embed just the bearer token and re-release the plugin in the event that you need to negotiate a new bearer token
b) to embed the consumer key and secret and re-release the plugin in the event that those keys need to be reset
c) require your end users to provide either their own bearer token or their own consumer key and secret

Option C has the least amount of risk, but the greatest burden on end users. It also means your app has no real identity of its own to Twitter.

Option B is probably the least secure option. You would need to reset your key and secret if the key were compromised and/or used for abusive activities. This option would allow you to still leverage user-based authentication and provide write operations if necessary. User-based auth is key to a consistent, predictable rate limiting scenario.

Option C is a middle ground. The largest risk is that your rate limits would be exhausted by someone using your bearer token, and requesting public data in your application’s name.

casassaez · 2013-03-17T00:13:07.000Z

I’m not really sure If I had understood it at all, we’re suposed to save the twitter bearer in a database (for example) and use it every time? Or we have to make a new bearer every time we need to use the Twitter API?

Also I would like to ask if anyone knows any twitter PHP library compatible with this. I have been searching for hours without results. I would like make my search application work with the new search API as soon as possible, but I don’t really know how to start. Anyone here who can help me please?

Dhanjivkumar · 2013-03-19T06:58:16.000Z

i am getting this issue :
Whoa there!
There is no request token for this page. That’s the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.

after enter user id and password
what is problem there please help me…
my Consumer key wgDSfTpX0x1w4Qvtfs5C8w

Thanks

TestSMT · 2013-03-22T16:08:38.000Z

@episod If the authentication of a API requires user context, how should I authorize the request for that? I assume I can’t use application-only authentication for that, right?

episod · 2013-03-22T16:11:05.000Z

Correct – for methods requiring a user context you need to use OAuth 1.0A and an access token belonging to the end user using your application.

maplerme · 2013-03-28T10:09:54.000Z

Same here. All or most of the open source examples in the Documentation is outdated or abandoned; a majority even without OAuth implementation.
Without a library of example to work upon, I’ve been unsuccessful just like yourself.

@episod Are there any updated examples of PHP libraries that are updated and comply to the recent changes in API 1.1? This would be greatly appreciated.

killmarils · 2013-04-01T16:14:00.000Z

Hi,
I’m invoking api.twitter.com/oauth2/token but it always answer with “403 Forbidden: The server understood the request, but is refusing to fulfill it.” in the body and 403 as http code. I’m following step by step the
"Application-only authentication" documentation (https://dev.twitter.com/docs/auth/application-only-auth).

Do you know if there is any problem with this service? I thought there would be a JSON object in the body with the specific error. Thanks!

erictpeterson · 2013-04-01T16:48:29.000Z

Taylor,

I must have missed it … can you point me to the documentation/detail regarding rate limits for application-only authentication? We are suddenly seeing rate limit issues in 1.1 this morning despite no dramatic changes on our end so wanted to better understand if this is something we are doing wrong perhaps.

Thanks.

irshad0786ahmad · 2013-04-02T09:15:22.000Z

i have Twitter API 20 day before was working fine but now i am getting problem during the Authentication not passing token number etc. and i am getting this message.

Whoa there!

There is no request token for this page. That’s the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.

Go to Twitter.

please help me how to solve this

irshad0786ahmad · 2013-04-02T09:16:00.000Z

same here i am getting this problem…

i have Twitter API 20 day before was working fine but now i am getting problem during the Authentication not passing token number etc. and i am getting this message.

Whoa there!

There is no request token for this page. That’s the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.

Go to Twitter.

please help me how to solve this

episod · 2013-04-02T14:56:16.000Z

Verify that when you send the user to oauth/authorize that you’re including a request token as the oauth_token value. If you’re sending users without, make sure that you validate the response from oauth/request_token before sending the users further. Your problem is likely with the result of oauth/request_token.

episod · 2013-04-02T14:56:57.000Z

They’re detailed on each API resource documentation that supports it, but you can also view the full accounting here: https://dev.twitter.com/docs/rate-limiting/1.1/limits