OAuth 2.0 server-side flow


I’ve been having a look at authenticating using OAuth 2.0. I know it’s not offically supported, but there is an endpoint which @Anywhere uses.

Does anyone know if it’s possible to get this endpoint to use the server-side flow, rather than the client-side flow? With normal OAuth 2.0 it is just a case of changing response_type=token to response_type=code. However, twitter doesn’t use standard parameters, it just makes up its own. For client-side flow the relevant parameter is oauth_mode=flow_web_client, but I can’t find what this should be for server-side flow.

Also, it seems that if this parameter is left out, twitter defaults to using client-side flow; unlike facebook, which defaults to server-side.

Any ideas?


We don’t support OAuth 2 beyond what is documented in @Anywhere. Please don’t try to use the end points for anything other than @Anywhere.


Is there a timeframe for implementing oAuth2. oAuth1 is a pain…


There is no timeframe to announce. OAuth2 is also a pain.


OAuth2 is much less of a pain than OAuth1. There’s no signing or anything to worry about.

It is already supported by Google, Facebook and others - it would be nice if twitter caught up, so we could authenticate with all these services in the same way, rather than having to write a special case for twitter.


I concur with @lucas24 on this matter. I’ve spent the past few days adding OAuth 2.0 support with Facebook, Google+, and soon Windows Live. Twitter would make it a trifecta (obviously Windows Live doesn’t count for anything).


it would be great to have some examples on how to use server-side flow to post new direct messages or other post requests. (PHP)


I’m going to join in with those requesting OAuth 2.0 support. It’s time for twitter to catch up with the rest of the internet. I don’t like writing special cases.


Also requesting OAuth2 support. Much easier to implement.


How are you planning on using Twitter’s API without writing any special cases?


Easy. With OAuth2 the basic server calls and response handling is the same across all services that support it – which is most of the big OAuth providers at this point. I, as the client, can write a base class to perform them and then just pass the appropriate URLs and client keys from a parent class. Much less code. As it stands Twitter needs an entire Auth class to itself with completely separate (and much more extensive) mechanics.


I’m not sure I believe it. Facebook’s documentation says nothing about refresh tokens, for example: http://developers.facebook.com/docs/authentication/

While Google’s docs devote a large amount of attention to using refresh tokens, which require a whole new step in the auth flow: http://code.google.com/apis/accounts/docs/OAuth2WebServer.html

Each set of docs also present a bunch of unique parameters and response data. I doubt an integration which used both could abstract away a large amount of the differences between these two approaches, at least to the point where you’re just adding a set of credentials to enable a new service.


Would also really like this. Our use case is a simple “Find your friends” [who’re using our app] feature.

We’re obviously not going to query the database directly from the web client, so it’s greatly inconvenient that we can only fetch a user’s friends from the client (since a user’s Twitter account could be protected, and we can only get the user’s OAuth token on the client!).

As it stands, we have to thus either transmit the user’s OAuth token, or the list of their Twitter friends, across the wire – unencrypted – to our server. Neither is secure. A server-side OAuth flow would prevent this security hole.


Can you provide a reason why OAuth 1.0 is better than OAuth 2.0 from the perspective of an API user? I can’t. The 2.0 protocol is easier to implement, thats why it exists. From the Wikipedia article:

“OAuth 2.0 focuses on client developer simplicity”

Arguing against this reality is absurd.


any update on OAuth 2.0 server-side flow support by twitter?


In the beginning twitter worked so hard to get people to use it. I have implimented it into numerouse websites in the past using the BASIC Authentication back when it was supported.

They then remove BASIC Authentication and replace it with the highly complex oAuth1. As result all of my websites which used twitter don’t use it in any way as I am not prepared to mess about with the stupid oAuth1 (Wasted too much time trying to get it to work already).

Twitter is the only Social Network with an API which I don’t try and sell/promote to my clients due to this. I am sure one day when twitter eventually do something about supporting oAuth2 I may come back but untill then I shall forget all about twitter.

The big question is what happens first? OAuth2 or Twitter being worthless (MySpace)?


+1 for Oauth2, get with it


Need OAuth 2.0. It’s pretty much easy and secure


Is this a joke? Still no support for oauth2


+1 for oauth2 support