Discussion around the release of application-only authentication

corbanb · 2013-05-31T16:30:09.000Z

Wonder why I was able to get a Bearer token with the ‘v’ in the url. Strange. Good catch though. Looks like things are back to normal now.

dfarr219 · 2013-05-31T23:05:00.000Z

Hi, I’m trying to connect with curl:

curl --request ‘POST’ ‘https://api.twitter.com/oauth2/token’ --header 'Authorization: “Basic d…=”, Content-Type: “application/x-www-form-urlencoded;charset=UTF-8”, Accept-Encoding: “gzip” ’ --data “grant_type=client_credentials” --verbose

But I’m getting and “unable to verify credentials” error returned. I have verified that I encoded the key and secret bas64Encode(key:secret) but I still get the error. Any ideas?

guptasushantkum · 2013-06-03T10:38:36.000Z

Hi, I have created an application with OAuth 2 implementation and I could make queries which have a screenName or user_id parameter when requesting information for a User.
Queries like statuses/mentions_timeline, statuses/home_timeline, account/settings execute only for authenticated user.
Do I need to implement both OAuth 1.0A and OAuth 2 to get through this since only OAuth 1.0A requires client’s credentials. Awaiting your response.

episod · 2013-06-03T14:32:19.000Z

I’ve seen others have issues where they are inadvertently including a newline character when using a base64 encoding method; I would verify that the function you’re using is producing the correct value.

episod · 2013-06-03T14:32:38.000Z

Correct, OAuth 1.0A is required for any requests made on behalf of a user.

guptasushantkum · 2013-06-04T08:47:58.000Z

Hey, thanks for replying, but would it not be easier if you add a screen_name or user_id parameter for every api.
For example,
GET statuses/mentions_timeline: worked for authentictaed user
GET statuses/user_timeline: accepts screen_name or user_id parameter.
Is there an technical block in achieving this functionality. If this is implemented, it would be very convenient for us.
Please ignore my ignorance if I may have missed any valid reason for this not being implemented.
Awaiting reposne.

corbanb · 2013-06-06T16:17:00.000Z

Just a heads up. I wrote a simple library to connect to the API via App Only Auth in PHP. Library is available below. Would love some feedback. Thanks!

https://github.com/mademovement/freebird-php

episod · 2013-06-07T14:10:06.000Z

Great! I’ve added it to [node:126]. Thanks!

OzerOz · 2013-06-07T15:06:00.000Z

I am getting error code 220 for certain requests. Am I correct to understand that if I go to the API’s page and there is a rate limit of #/app, this can be used to indicate that the API is supported for application-only authentication applications?

For instance, I tried /lists/list and I get this:

URI [https://api.twitter.com/1.1/list/list.json?screen_name=ozeroz] Method [GET] Headers [ Authorization: Bearer {Bearer_token}, User-Agent: {User_agent} ] Entity

Status [403/Forbidden] Headers [ content-length: 91, content-type: application/json; charset=utf-8, date: Fri, 07 Jun 2013 14:59:28 UTC, server: tfe, set-cookie: guest_id=v1%3A137061716821399853; Domain=.twitter.com; Path=/; Expires=Sun, 07-Jun-2015 14:59:28 UTC, strict-transport-security: max-age=631138519 ] Entity [{“errors”:[{“message”:“Your credentials do not allow access to this resource”,“code”:220}]}]

I also tried users/search:
URI [https://api.twitter.com/1.1/users/search.json?q=obama&page=1&per_page=20] Method [GET] Headers [ Authorization: Bearer {Bearer_token{, User-Agent: {User_agent}, Accept: application/json ] Entity

Status [403/Forbidden] Headers [ content-length: 91, content-type: application/json; charset=utf-8, date: Fri, 07 Jun 2013 15:04:08 UTC, server: tfe, set-cookie: guest_id=v1%3A137061744854994636; Domain=.twitter.com; Path=/; Expires=Sun, 07-Jun-2015 15:04:08 UTC, strict-transport-security: max-age=631138519 ] Entity [{“errors”:[{“message”:“Your credentials do not allow access to this resource”,“code”:220}]}]

However, if I tried to get some trends, I get a good response:
URI [https://api.twitter.com/1.1/trends/place.json?id=3534] Method [GET] Headers [ Authorization: Bearer {Bearer_token}, User-Agent: {User_Agent} ] Entity

Status [200/OK] Headers [ cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0, content-length: 1437, content-type: application/json;charset=utf-8, date: Fri, 07 Jun 2013 14:59:27 GMT, expires: Tue, 31 Mar 1981 05:00:00 GMT, last-modified: Fri, 07 Jun 2013 14:59:27 GMT, pragma: no-cache, server: tfe, set-cookie: guest_id=v1%3A137061716777715959; Domain=.twitter.com; Path=/; Expires=Sun, 07-Jun-2015 14:59:27 UTC, status: 200 OK, strict-transport-security: max-age=631138519, x-access-level: read, x-frame-options: SAMEORIGIN, x-rate-limit-limit: 15, x-rate-limit-remaining: 14, x-rate-limit-reset: 1370618067, x-transaction: 618e243e3898fff9, x-xss-protection: 1; mode=block ] Entity [[{“trends”:[{“name”:“#18ThingsIWant”,“url”:“http://twitter.com/search?q=3D%2318ThingsIWant” …

SkydLine · 2013-06-07T15:24:43.000Z

I am currently using TWRequest and the Twitter framework in my iOS app. This has worked great for GET search in v1 of the API. However, forcing me to do authentication in v1.1 is killing me. So I have been trying to use application-only authentication, but I can’t figure out if it’s possible using the iOS Twitter framework. Is it possible and if so, can you point me to an example? Thanks.

episod · 2013-06-10T14:41:53.000Z

Correct, the methods that support app-only auth list an app-only auth rate limit beside them. Those not declaring an app-only auth rate limit are not usable with app-only auth. We also have another distinction: methods that support app-only auth only say that auth is “required” whereas methods that require a user-based context say “Requires user context”

episod · 2013-06-10T14:42:49.000Z

Not directly with the TWRequest framework. But app-only auth is really just very simple HTTP(S) work, so you can typically use more basic HTTP handlers. However, app-only auth’s rate limits aren’t very suitable for client-side use.

AllTopicsForum · 2013-06-10T15:26:26.000Z

Please assist: We use Twitter Feed at our site www.gdf.tv. Our threads are not showing up in the Twitter search results and so are also not showing up in our Twitter block.

Basically, when we make a tweet inside our Twitter account @alltopicsforum the tweet shows up fast in the Twitter search results for our Twitter account. When we make a thread on our site the thread also comes up in @alltopicsforum.

But the threads do not make it to the Twitter search for our hashtags and our account? So, these threads also do not make it into our Twitter block?

(Comparatively, the Twitter blocks of www.mobitog.com and www.8wayrun.com are both showing these website’s latest threads/hashtags).

Please advise how to solve this.

SkydLine · 2013-06-10T15:34:13.000Z

Someone please correct me if I’m wrong, but here is how I understand your response. “Great job spending countless hours writing an iOS app that relies almost entirely on the Twitter API. However, with the release of our new API, you will be forced to rewrite all of your Twitter integration code despite the fact that you followed Apple’s preferred way of integrating with Twitter. Once you are done rewriting your code, your application will likely become useless in the eyes of your users because they will either be forced to login (which most of my users don’t want to do) or be rate-limited to the point that they can’t use the app.”

Does Twitter really not see this as a problem? There have to be others running into the exact same obstacle. Please tell me that Twitter has a better response to this concern than what I am hearing thus far. Or, better yet, please tell me I am just misunderstanding this response. Is there somewhere I can officially log this concern?

timacheson · 2013-06-14T15:31:32.000Z

Thanks, this is very useful guidance.

ESpacey · 2013-06-16T13:44:28.000Z

I have made an example in PHP of how to use the API 1.1, notably the project examples that where distributed for v1. haven’t been updated for v1.1, notably also the PHP Libraries looks like they are abandoned.

To Download the Package of PHP files for the Twitter v1.1 API Example and link to it on your pages please twitter these links are permanent:

Download: Elastic Open Objects Portal System / Code / Commit [r36]
Code: https://sourceforge.net/p/eoops/code/HEAD/tree/Example%20Script/Twitter%20oAuth%20Example/
Wiki: Elastic Open Objects Portal System / Wiki / Twitter oAuth Example

rocplaza · 2013-06-17T16:18:52.000Z

I’m still getting 403 forbidden on oauth2/token. The same code worked 5 days ago!

yugamanand · 2013-06-17T17:35:58.000Z

hi
I am able to acheive oauth authenication for GET statuses/user_timeline …

But How can i Search tweets using GET search/tweets in new api 1.1. it always give me unauthorized 401

rocplaza · 2013-06-17T18:10:27.000Z

403 seems to be a cookie problem. After clearing all cookies from Chrome it al started working again. My postman api’s generate bearer keys now.

sashiks1009 · 2013-06-19T10:09:51.000Z

It will be great if you share me the way, how you get the bearer token