Aw: Re: [twitter-dev] Re: Why is there no @Anywhere version of the Tweet Button with Count?
Oh, sorry, I mixed it up with the thread Using @Anywhere with Protoype.js → http://goo.gl/Rk0C8 My fault. Alexander -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] I would like to automatically reply from a twitter account to every @mention
The application I want to develop would reply to every @mention. For now, a simple reply of Yes? would do, but I am hoping that I can reply with a URL appended with the Twitter ID# that has been shortened, along with content from the originating tweet. I have rudimentary Ruby, Python and JavaScript skills and I know someone who is quite proficient at programming who will help me. The application I have in mind would be a service that any one could use and I don't intend to develop this for profit. Any pointers to modules or other applications that have similar uses would be greatly appreciated. -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Multiple streams with the same IP
Hi, Anyone here has any experience with multiple streams (each stream with a pair of dedicated oauth token/secret) with twitter's streaming API? As it is specified in docs that Each account may create only one standing connection to the Streaming API, I assume we could have a few connections if there are the same number of accounts. Correct me if above it wrong. Any experience sharing is fairly appreciated! Cheers, Jack -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Twitter Basics and Errors
I am in the process of getting re-acquainted with the API after a lot of changes and I have run into some issues. I am getting rate limited when I do a call to get the follower IDs. As I understand it, it has 150 uses on my IP per hour, but I couldn't have made more than 4 calls. My script is fairly simple as a test: $twitterObj = new EpiTwitter(); $followers = $twitterObj-get_followersIds( array ('screen_name' = 'whoever')); print \n . count($followers); This isn't a part of a loop or anything, but I get a Rate Limit Exceeded error after only one or 2 calls to this. Any idea what could be wrong? Also, has something changed with search? I attempt to do: $twitterObj = new EpiTwitter(); $search = $twitterObj-search('whatever'); echo $search-responseText; And I get a 403 Forbidden error. Both my examples are using the php wrapper found here: http://www.jaisenmathai.com/articles/twitter-php-oauth.html If anyone has any help with my I might be seeing these errors, or if there is a better library for PHP to do basic no authentication tasks, such as getting a users followers and doing basic search queries, I would very much appreciate it. Thank you. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Questions of new ToS
Hey, Anyone from twitter development team can explain a little bit of the content in new ToS: III. Twitter Functionality in your Service 3. Twitter Identity *Once an end user has authenticated via Connect with Twitter, you must clearly display the end user's Twitter identity. Twitter identity includes visible display of the end user's avatar, Twitter user name, and the Twitter bird mark. Displays of the end user's followers on the your Service must clearly show that the relationship is associated with the Twitter service. *Q1: Have to display the 'bird' mark? Can't be the blue login with 't' ? Q2: Any example of showing followers relationship is associated with the Twitter service? Because don't know exactly how you mean by this. Jack* * -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Streaming API access level limit
Thanks, figured it out. Another question, how many connections are allowed with a shared IP? Any suggestions on multiple streams in one machine with one IP? J On Mon, Feb 28, 2011 at 1:50 PM, John Kalucki j...@twitter.com wrote: Are you specifying the IDs in the URL or in a POST parameter? There's a limit to the URL length that we'll parse, but we'll take huge POST parameters. -John Kalucki http://twitter.com/jkalucki Twitter, Inc. On Tue, Feb 22, 2011 at 11:22 PM, aquajach aquaj...@gmail.com wrote: Hi, Just started to play with streaming API, but get confused on how many followers id could be tracked with one connection. In basic level of filter, http://dev.twitter.com/doc/post/statuses/filter says 400 followers ids http://dev.twitter.com/pages/streaming_api_methods says 5,000 followers ids Then I tried in local machine, could only follow around 320 ids ( receive 413 if more) and seems multiple connections in one IP are not allowed. Any body here know: Is there any ways to follow a few thousands ids for each authenticated account (with oauth)? Or how to apply for higher access level? Any experience share or answers are appreciated! J -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Streaming API access level limit
From the developer resource, it is said that 'Each account may create only one standing connection to the Streaming API'. While it is possible to have a few streams with different users' account through OAuth? If yes, what's the limit? Thanks, J On Tue, Mar 1, 2011 at 4:25 AM, Matt Harris thematthar...@twitter.com wrote: Hi J, Glad you worked it out. The Streaming API (stream.twitter.com) does not support multiple streams - only one connection is permitted. This is explained in more detail on our developer resources site: http://dev.twitter.com/pages/streaming_api_concepts#access-rate-limiting Best, @themattharris Developer Advocate, Twitter http://twitter.com/themattharris On Mon, Feb 28, 2011 at 12:54 AM, Chen Jack S Y aquaj...@gmail.com wrote: Thanks, figured it out. Another question, how many connections are allowed with a shared IP? Any suggestions on multiple streams in one machine with one IP? J On Mon, Feb 28, 2011 at 1:50 PM, John Kalucki j...@twitter.com wrote: Are you specifying the IDs in the URL or in a POST parameter? There's a limit to the URL length that we'll parse, but we'll take huge POST parameters. -John Kalucki http://twitter.com/jkalucki Twitter, Inc. On Tue, Feb 22, 2011 at 11:22 PM, aquajach aquaj...@gmail.com wrote: Hi, Just started to play with streaming API, but get confused on how many followers id could be tracked with one connection. In basic level of filter, http://dev.twitter.com/doc/post/statuses/filter says 400 followers ids http://dev.twitter.com/pages/streaming_api_methods says 5,000 followers ids Then I tried in local machine, could only follow around 320 ids ( receive 413 if more) and seems multiple connections in one IP are not allowed. Any body here know: Is there any ways to follow a few thousands ids for each authenticated account (with oauth)? Or how to apply for higher access level? Any experience share or answers are appreciated! J -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Streaming API access level limit
Hey dude. You gave me a hint, but not tweetstream, that is twitterstream, which is newer and works for me. On Fri, Feb 25, 2011 at 2:12 AM, M. Edward (Ed) Borasky zn...@borasky-research.net wrote: On Thu, 24 Feb 2011 17:34:52 +0800, Chen Jack S Y aquaj...@gmail.com wrote: Thanks, dude. My problem is still there though. When I try the streaming api with curl in command line, everything goes well and it tracks a few thousands of ids successfully. While using eventmachine (together with em-http-request) ruby gem, haven't found any solutions to track more 400 ids but keep receiving 413 response errors. Kind of weird. Is this the tweetstream Ruby gem? If their repository is still on Github, it hasn't been updated in over a year. In particular, they haven't added code for User Streams or oAuth. Could they be using an incorrect endpoint or something like that? -- http://twitter.com/znmeb http://borasky-research.net A mathematician is a device for turning coffee into theorems. -- Paul Erdős -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Streaming API access level limit
Thanks, dude. My problem is still there though. When I try the streaming api with curl in command line, everything goes well and it tracks a few thousands of ids successfully. While using eventmachine (together with em-http-request) ruby gem, haven't found any solutions to track more 400 ids but keep receiving 413 response errors. Kind of weird. J On Thu, Feb 24, 2011 at 5:52 AM, Matt Harris thematthar...@twitter.comwrote: Hi J, The authoritative information for the Streaming API is under the /pages/ path and you should use that for guidance. The number of connections you are allowed to the Streaming API is described in the Streaming API Concepts document: http://dev.twitter.com/pages/streaming_api_concepts It says: Each account may create only one standing connection to the Streaming API. Subsequent connections from the same account may cause previously established connections to be disconnected. Excessive connection attempts, regardless of success, will result in an automatic ban of the client's IP address. Continually failing connections will result in your IP address being blacklisted from all Twitter access. When tracking users using the Streaming API the default level allows 5000 follower IDs to be tracked. Make sure the user_ids are specified with the follow parameter and not the track parameter. Best, @themattharris Developer Advocate, Twitter http://twitter.com/themattharris On Tue, Feb 22, 2011 at 11:22 PM, aquajach aquaj...@gmail.com wrote: Hi, Just started to play with streaming API, but get confused on how many followers id could be tracked with one connection. In basic level of filter, http://dev.twitter.com/doc/post/statuses/filter says 400 followers ids http://dev.twitter.com/pages/streaming_api_methods says 5,000 followers ids Then I tried in local machine, could only follow around 320 ids ( receive 413 if more) and seems multiple connections in one IP are not allowed. Any body here know: Is there any ways to follow a few thousands ids for each authenticated account (with oauth)? Or how to apply for higher access level? Any experience share or answers are appreciated! J -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] API support for 'first tweet'
hey you lovely people I know we have the limits on search results but would it be possible to request and get back get the first tweet on for som specific searches. So things like profile and tag searches could support this. The historical data wouldn't change, you just need to capture tithe first time. If you searched a tag for example, you could get you limited results and can make a separate call to get just the first tweet - which would tell you lots... Like who, what and when. Might be a good compromise to some of the limitations of results and really help me out :) ! What do others think? Mike - is a newbie RoR dev, oldie javanista and entrepreneur has a passion for people and their stories loves twitter and other tools for dialogue -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] xauth in PHP
Hi, Why do you need xauth? Take it as the last option, use oauth instead. On 2 Jan 2011, at 00:22, genux33 calebzhi...@gmail.com wrote: Hi, Is there anyone have the tutorial or code for twitter xauth login for PHP? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Receiving Incorrect Signature for REST API Method: users search
Receiving Incorrect Signature error for the following request I have made: {request:\/1\/users\/search.json?q=Simhadri,error:Incorrect signature} Grackle::TwitterError: get http://api.twitter.com/1/users/search.json?q=Simhadri = 401: {request:\/1\/users\/search.json? q=Simhadri,error:Incorrect signature} Request: - GET /1/users/search.json?q=Simhadri accept=*/* user-agent=Grackle/0.1.10 (OAuth gem v0.4.4) authorization=OAuth oauth_consumer_key=xx, oauth_nonce=7tsH6myuEQRyoIggyzPdcNj9mla058fNFr7p4ZiC8, oauth_signature=8yGHPlD9eqXCBPOTn5W0fjiuYxQ%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1293169323, oauth_token=, oauth_version=1.0, scope= Full HTTP response: -- Received Response expires=Fri, 24 Dec 2010 05:47:03 GMT connection=close content-type=application/json; charset=utf-8 www-authenticate=Basic realm=Twitter API server=hi date=Fri, 24 Dec 2010 05:42:03 GMT content-length=78 set-cookie=k=59.165.55.67.1293169323439293; path=/; expires=Fri, 31- Dec-10 05:42:03 GMT; domain=.twitter.com, guest_id=129316932344388070; path=/; expires=Sun, 23 Jan 2011 05:42:03 GMT, _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCMPt5RYtAToHaWQiJWFjZWRhMGEyZWI2MGI5%250ANjFmNTNiNmY4NWUyMjg2ZmNlIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy %250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--621c560ef8214205b5a0bfca3ca9084c38c939b4; domain=.twitter.com; path=/ vary=Accept-Encoding cache-control=no-cache, max-age=300 status=401 Unauthorized I am using Grackle/0.1.10 and OAuth gem v0.4.4. I am trying this in Ruby on Rails platform 2.3.2. Thanks, Arvind. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: Help for twitteroauth
Hi Abraham.. im using your twitterauth. Ive got everything set right, but im also getting the error as mentioned about. One thing i noticed is that the url is: https://twitter.com/oauth/authorize?oauth_token= i dont find the token. What might have gone wrong? Regards vishnu On Sep 20, 8:11 am, Abraham Williams 4bra...@gmail.com wrote: Could not connect to Twitter. Refresh the page or try again later. with TwitterOAuth generally means one of several things. You don't have a valid consumer key/secret being used, there is a firewall blocking access from your server tohttps://api.twitter.com, or your servers time is not being automatically synced. Abraham - Abraham Williams | Hacker Advocate |http://abrah.am @abraham |http://projects.abrah.am|http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Wed, Sep 15, 2010 at 01:42, kilotto kilo...@gmail.com wrote: Hi all, I'm trying use twitteroauth but I have some problems. When I use twitter twitteroauth in my webserver ( http://twitter.domain.net ) the script display the error: Could not connect to Twitter. Refresh the page or try again later.. If I use other script, it display: Woah there! This page is no longer valid. It looks like someone already used the token information you provided. Please return to the site that sent you to this page and try again ... it was probably an honest mistake. I've tried twitteroauth in local and it works fine. How I can fix this ? Tnx! -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] custom twitter button
hi, for one of our site, we need custom twitter button to share. we can implement the twitter button with help of custom js and twitter share link. but how can we display the count ? -- S. M. Ibrahim Lavlu software engineer, php somewhere in... http://www.somewherein.net bangla blog: http://www.somewhereinblog.net my blog: http://www.lavluda.com mac blog: htttp://www.mac-talks.com my book: http://www.lavluda.com/2009/07/08/my-book-on-cacti/ -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Simple way to get user timeline?
1. register your app at dev.twitter.com to get your set of keys 2. get a hold of and install the twitter_oauth.php class 3. add in the getConnectionWithAccessToken function (I forget where it's available) 4. make your calls like this... (you will use get instead of post, and make the appropriate request for your statuses) $PMconnection = getConnectionWithAccessToken ($pm_consumer_key,$pm_consumer_secret,$pm_access_token, $pm_access_secret); $PMsuccess = $PMconnection-post('https://api.twitter.com/1/statuses/ update.json', array('status' = $thisTweet)); hope this helps On Sep 1, 2010, at 1:17 AM, quick5pnt0 wrote: Can anyone point me in the right direction? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] People randomly getting unfollowed?
I don't think it is 'random'. It most likely is removal of robot accounts. Some script / human is identifying such spam accounts / fake accounts and suspending them. Many people are getting frustrated by this, to see their followers number reduce. ~*~ On Sat, Aug 14, 2010 at 11:22 AM, M. Edward (Ed) Borasky zn...@borasky-research.net wrote: I don't think this has happened to me, but a number of my friends and some well-known Twitter people have reported that Twitter is unfollowing people from their accounts on its own, apparently in some random fashion. I don't have any more detail than that, or I'd file an issue. But I've heard it from so many people that I wanted to bring it up here and see if this triggers any thoughts in the developer community or at Twitter. -- M. Edward (Ed) Borasky http://borasky-research.net http://twitter.com/znmeb A mathematician is a device for turning coffee into theorems. - Paul Erdos
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
I follow that. I was wondering if the creds needed to be in a session var or not. I'll give it a try! Thank you! On Jul 23, 2010, at 11:00 PM, Abraham Williams wrote: Hello Paul, In redirect.php the request token (also called temporary credentials) are one use. After the user returns from twitter.com having authorized the application they are exchanged for an access token from Twitter which is long lasting and what you are after. If the request token is not being saved/retrieved from sessions properly you can print it and the authenticate URL in redirect.php instead of automatically redirecting. Copy/paste the authenticate url into a browser window and authorize the app to access the user account. Then you can manually put the request token into the quick and dirty code instead of pulling from a session. Keep in mind that you can only use the request token once so if you don't print the access token the first time you will have to do it all again. Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
ok. thanks for testing! On Jul 23, 2010, at 4:58 AM, Paul wrote: Hi Paul, Yep, was referring to the snippet. I've just copy/pasted yours, changed keys and callback URL and your code works for me. I'm afraid the only thing I can suggest is to double-check your consumer key/secret, Cheers, - Paul
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
Ok... looks like there are others who received the same exception error when trying to generate an auth url. So, I switched over to Abraham's routine, which worked, and the oauth_token and verifier came back, but sadly, a new exception was thrown in the twitter-async code I was still using to retrieve the key/ secret. Right now I'm trying to use Abraham's twitteroauth to output the same info. Is that possible? I looked at the class source but they are different enough to make it opaque to me. There is no equivalent setToken in twitteroauth. Does anyone know how to get twitteroauth to spill the same beans? I'm so close, and yet so far! for the intrepid, here are the async calls I'm trying to find equivalents for in twitteroauth $twitter-setToken( $_GET[oauth_token] ); $token = $twitter-getAccessToken( array( oauth_verifier = $_GET [oauth_verifier] ) ); var_dump( $token-oauth_token, $token-oauth_token_secret ); thank you Paul G On Jul 22, 2010, at 5:53 PM, Paul wrote: Hi Paul, Is there a way to retrieve the consumer keys for the other Twitter account I own without registering an app? Yep, if you use that script given previously, just login to the other Twitter account instead (with the same consumer key/secret. This will give you a different pair of tokens for the second account. Initialise as in tweeting example with the new token. Basically what you're doing is authorising the same app for both accounts. - Paul
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
Thanks Abraham. I'm still a bit baffled, but I'm sure the origin is local, haha. I used your testing routine with the Sign in to Twitter dialog to try to access the account token and secret for storage. In your redirect.php file, it does look like you are setting session vars in there for the token and secret before the redirect to Twitter. But it also says in your comments that those are temporary credentials. I was confused by that, because it's my understanding they're not supposed to expire, which is how they can be used again for future access. Do I have that wrong? I'm looking for the credentials that developers are storing for re-use of their user's Twitter accounts. Even though your redirect.php file is creating a session for the variables, when the callback to the quick and dirty code occurs, the variables are not accessible. I get the below notices. br / bNotice/b: Undefined variable: _SESSION in b/path/twittertest- oauth2.php/b on line b21/bbr / br / bNotice/b: Undefined variable: _SESSION in b/path/twittertest- oauth2.php/b on line b21/bbr / br / bNotice/b: Undefined index: oauth_token in b/path/twitteroauth/ twitteroauth.php/b on line b118/bbr / br / bNotice/b: Undefined index: oauth_token_secret in b/path/ twitteroauth/twitteroauth.php/b on line b118/bbr / array(1) { [ ]= string(0) } Any advice for keeping hope alive? :) Thanks again Paul G On Jul 23, 2010, at 1:13 PM, Abraham Williams wrote: This is quick and dirty and assumes that oauth_token and oauth_token_secret are set in a session before you are redirected to twitter.com to authorize the application. $connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $_SESSION['oauth_token'], $_SESSION['oauth_token_secret']); $access_token = $connection-getAccessToken($_REQUEST ['oauth_verifier']); var_dump($access_token); Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
thanks for fast-tracking me on this! I imagine I would have been at this several more days without this information. Thank you, thank you... and did I say thank you? :) Regards On Jul 22, 2010, at 1:04 PM, Paul wrote: One off: 1) Login to your company Twitter account. 2) Settings - Connections - Click the link under Developers at bottom right. Takes you to: http://twitter.com/apps 3) Register your app. You can get away with 127.0.0.1 as the callback URL if you're running a local webserver, but it's not so important if you're just doing this as a one off as you can specify callback URL at request time.
Re: [twitter-dev] Twitter oAuth for PHP, some advice needed
one quick followup on this, if I may... The Twitter account I registered the app with provided consumer keys / secrets and I used those keys with the client's access tokens to successfully get and post to the account using OAuth. Great. Many thanks to those who pointed me in the right direction. I actually have two separate Twitter accounts to do status updates for depending on the content I have. Sometimes in immediate succession. Is there a way to retrieve the consumer keys for the other Twitter account I own without registering an app? Thank you Paul G
Re: [twitter-dev] Re: Twitter oAuth for PHP, some advice needed
Paul, If you are referring to the twitter-async example you posted, I have installed that and I'm working with it now. I assume the first time through it's meant to take a detour through a Twitter authorization, then back to the same script in which oauth_token and secret is set... and dumped... Looks like I'm not getting a proper authorize URL, and in fact the script dies at that call. No output. Maybe someone can eyeball what's going wrong. Here's what the stack trace says, followed by the script (the names and places have been changed to protect the innocent) bFatal error/b: Uncaught exception 'EpiOAuthException' in /path/ twitter-async/EpiOAuth.php:397 Stack trace: #0 /path/twitter-async/EpiOAuth.php(367): EpiOAuthException::raise (Object(EpiCurlManager), false) #1 /path/twitter-async/EpiOAuth.php(47): EpiOAuthResponse-gt;__get ('oauth_token') #2 /path/twittertest-oauth2.php(29): EpiOAuth-gt;getAuthorizeUrl (NULL, Array) #3 {main} thrown in b/path/twitter-async/EpiOAuth.php/b on line b397/ bbr / ?php require_once classes/twitter-async/EpiCurl.php; require_once classes/twitter-async/EpiOAuth.php; require_once classes/twitter-async/EpiTwitter.php; define( CONSUMER_KEY, $MY_CONSUMER_KEY ); // actual key used define( CONSUMER_SECRET, $MY_CONSUMER_SECRET ); // actual secret used $twitter = new EpiTwitter( CONSUMER_KEY, CONSUMER_SECRET ); if( isset( $_GET[oauth_token] ) ){ try{ $twitter-setToken( $_GET[oauth_token] ); $token = $twitter-getAccessToken( array( oauth_verifier = $_GET [oauth_verifier] ) ); var_dump( $token-oauth_token, $token-oauth_token_secret ); } catch( Exception $e ) { var_dump( get_class( $e ) ); } }else{ $location = $twitter-getAuthorizeUrl(null,array(oauth_callback = http://www.mydomain.tld/dir/twittertest-oauth2.php )); // same address as this script header(Location: $location); exit; } ? On Jul 22, 2010, at 5:53 PM, Paul wrote: Hi Paul, Is there a way to retrieve the consumer keys for the other Twitter account I own without registering an app? Yep, if you use that script given previously, just login to the other Twitter account instead (with the same consumer key/secret. This will give you a different pair of tokens for the second account. Initialise as in tweeting example with the new token. Basically what you're doing is authorising the same app for both accounts. - Paul
[twitter-dev] Re: Wrong User ID for a reply
From the API documentation: http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search Warning: The user ids in the Search API are different from those in the REST API (about the two APIs). This defect is being tracked by Issue 214. This means that the to_user_id and from_user_id field vary from the actualy user id on Twitter.com. Applications will have to perform a screen name-based lookup with the users/show method to get the correct user id if necessary. - Shuan On Mar 22, 4:05 pm, Vikas vikas...@gmail.com wrote: Hi, I am trying to fetch the User ID to include in the Reply field and it fetches the correct user ID if you are following the person and some wrong User ID if you are just replying to a Tweet from the Search topics. Has anyone seen this kind of behavior and what could possibly be wrong here? I appreciate the help. Thanks Vikas To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
[twitter-dev] Re: Search API fails with Chinese
Pretty odd, I am able to use curl to get http://search.twitter.com/search.json?q=^_^lang=zh but have the same problem as you fetching it through Firefox/Safari. On Mar 22, 12:51 pm, Irokez iro...@gmail.com wrote: http://search.twitter.com/search.json?q=^_^lang=en - works perfectlyhttp://search.twitter.com/search.json?q=^_^lang=zh - Twitter search has timed out Is there a way to solve the problem? To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
[twitter-dev] Re: Most popular tweets in the search API
As someone who's developing some applications right now specifically involving the search APIs I now have to worry about whether or not I should pre-emptively include the result_type parameter so my app doesn't become non-functioning when the changes are pushed to the site. Why do the popular tweets have to be the default behavior in the API? On Mar 19, 7:42 am, funkatron funkat...@gmail.com wrote: So this would change the default behavior of the search API, which is currently to return recent results? If so, I think that's a bad idea. Better to offer the option than to change existing behavior when possible. -- Ed Finklerhttp://funkatron.com Twitter:@funkatron AIM: funka7ron ICQ: 3922133 XMPP:funkat...@gmail.com On Mar 19, 10:37 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Developers! The Search team is working on a beta project that returns the most popular tweets for a query, rather than only the most recent tweets. This is a beta project, but an important first step to surface the most popular tweets for users searching Twitter. You can expect many improvements as we tune and tweak our algorithms, but we want to give everyone a heads up so we can go over the implications for those consuming the search API. --- New attribute in the payload --- First of all there will be a new attribute in search result payloads. Since some tweets are popular for a given query while others are simply the most recent results that match the query, we are adding a metadata section to specify the type of result that a given result represents. So for a popular tweet the result_type in the metadata section will have the value popular. Example of a result with a popular tweet: { results: [ { profile_image_url:http://a1.twimg.com/profile_images/668144840/Elizabeth_Web_normal.jpg;, created_at:Mon,15 Feb 2010 19:55:18 +, from_user:Elizabeth, to_user_id:null, text:It's the Griswold family trip to Joshua Tree Park! @rsarver @Devon @Jess @noradio @kevinweil, id:9153622261, from_user_id:106309, geo:null, iso_language_code:en, source:lt;a href=quot;http://www.atebits.com/; rel=quot;nofollowquot;gt;Tweetielt;/agt;, metadata: { result_type: popular } } /* etc ... */ } Results that are not popular and represent simply recent query matches will have the result_type in the metadata section with a value of recent. Example of a recent result: { results: [ { profile_image_url:http://a3.twimg.com/profile_images/641350353/TimCheekFinger_normal.jpg;, created_at:Mon, 15 Feb 2010 23:42:45 +, from_user:timhaines, to_user_id:97776, text:@noradio Nice spot., id:9160218997, from_user_id:159881, to_user:noradio, geo:null, iso_language_code:it, source:lt;a href=quot;http://www.atebits.com/; rel=quot;nofollowquot;gt;Tweetielt;/agt;, metadata: { result_type: recent } }, /* etc ... */ } --- Results with popular tweets aren't ordered chronologically --- Until the popular tweet feature all search results have been sorted chronologically, most recent results at the top. If a search query has any popular results, those will be returned at the top, even if they are older than the other results. Example of a non-chronologically ordered set of results including popular results: { results: [ { profile_image_url:http://a1.twimg.com/profile_images/668144840/Elizabeth_Web_normal.jpg;, created_at:Mon, 15 Feb 2010 19:55:18 +, from_user:Elizabeth, to_user_id:null, text:It's the Griswold family trip to Joshua Tree Park! @rsarver @Devon @Jess @noradio @kevinweil, id:9153622261, from_user_id:106309, geo:null, iso_language_code:en, source:lt;a href=quot;http://www.atebits.com/; rel=quot;nofollowquot;gt;Tweetielt;/agt;, metadata: { result_type: popular } }, { profile_image_url:http://a3.twimg.com/profile_images/641350353/TimCheekFinger_normal.jpg;, created_at:Mon, 15 Feb 2010 23:42:45 +, from_user:timhaines, to_user_id:97776, text:@noradio Nice spot., id:9160218997, from_user_id:159881, to_user:noradio, geo:null, iso_language_code:it, source:lt;a
[twitter-dev] 403 when posting URL
I just noticed this: I try to post a status change that includes a URL. The post is longer than 140 chars but Twitter shortens the URL with bit.ly, making it less than 140 chars and so the status change is posted. I get a 403 response, with the following message in it: errorStatus is over 140 characters./error It looks like a bug in the API. Anyone has had the same problem?
[twitter-dev] API for marking tweets seen
Hello, As someone who uses tweetdeck,web and my mobile client i would think if there was a way an app would know if the tweet was already seen by a user.One way i could think of is knowing/storing the least tweet (by timestamp) that was fetched by user with API/web, and any app that user will first fetch the last seen tweet time and request only tweet stream after the time. Has anyone else felt the need for this? Thanks Taggy
[twitter-dev] Couldn't find Status with ID=xx errors
I've been using the search API for a while now. Recently some of the queries return 404 status with the error message like this Couldn't find Status with ID=3355800333. The API docs ( http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search) mention that This method will return an HTTP 404 error if since_id is used and is too old to be in the search index . We are not using the optional since_id in our query. Has there been any change to the API? An example query is : http://search.twitter.com/search.atom?q=%22Vegit%22+%22Convenience+Foods%22+-filter%3Alinkslang=enrpp=12 Thanks, Anirudh S -- Anirudh Surendranath SmartCrowds Software Pvt Ltd email : anir...@smartcrowds.com : anirudh[DOT]mail[AT]gmail[DOT]com http://gingerjoos.com
[twitter-dev] Re: OAuth vs. Basic authentication strictly on iPhone
Srikanth, Thank you for your thoughts -- good ones. Responses: snip But what if the app was developed by some thirdparty devs? you never know whether the password is stored or logged some where. /snip I'm not sure who the third party is relative to -- if you are the user of an iPhone app, *every* app was developed by a third party. If you are the developer of the app, and you are worried about development you've farmed out to a third party, well, that's not an authentication issue -- that's a personnel / business problem. You shouldn't be publishing code which you aren't aware of what it does. I made reference to this in another thread, but when a user voluntarily downloads an iPhone app and puts it on their device, and then runs it, they've explicitly demonstrated a level of trust for that app. If they are concerned about it being a rogue app, then downloading the app, putting it on their device, and running it seems inconsistent with a true concern about it being a rogue app. But furthermore, let's assume there was some concern about password entry -- I do not see how OAuth saves you at all. You are still keying in your password within the app, in code that the developer of this so- called rogue app developed. The developer could be phishing with a spoof OAuth web page, but even if the OAuth page is authentic, the developer could still intercept keyboard events and capture your password that way. That said, it seems that the real danger on the iPhone is storing a password, not having the device as a whole password protected, and then losing your device. Someone can then go into your phone, and Twitter related app, and have direct access to your account (which I believe would still be a danger with OAuth tokens). So the solution seems to not be the means of authentication, it seems to be whether a password is stored or not, and whether it is transmitted securely. Brad On Aug 11, 2009, at 12:02 AM, srikanth reddy wrote: My thoughts OAuth wasn't meant for Desktop apps. Its for third party apps (consumers) who try to request a protected resource from a service provider on behalf of end users. Typically a consumer offers one kind of service and a service provider offers a different service. As you know the advantage of OAuth is you are not giving away your password to consumers. For desktop apps (iphone apps) it is perfectly fine to use basic auth over https But what if the app was developed by some thirdparty devs? you never know whether the password is stored or logged some where. There is always an element of risk. OAuth solves this problem to a little extent. You are giving your password only to twitter and the consumer/app gets the token. Even if a rogue consumer steals this token you at least have the option of revoking the access to this consumer. But if password is stolen you cannot do anything. As you know OAuth primarily deals with Authorization and Authentication is secondary. So its not a question of comparing it with Basic Auth over HTTPS. These are just my thoughts. Srikanth On Tue, Aug 11, 2009 at 2:46 AM, Bradley S. O'Hearne brad.ohea...@gmail.com wrote: All, I don't want to kick this subject to death, as there was a lengthy thread on general OAuth vs. Basic auth -- I want to restrict this question strictly to the scope of iPhone apps. Having pored over the OAuth vs. Basic authentication process, I have a question, given the following assumptions: - The iPhone app is communicating directly with Twitter, i.e. not through some third-party means. - The iPhone app requires authentication at the beginning of each application runtime (i.e. each time the app is run the user has to type in their password). - The password is cached only in memory, for the life of that specific runtime (i.e. when the user quits the app, the password is released). - The password is NEVER persisted anywhere, i.e. never stored to disk. - All network communication with Twitter takes place over HTTPS. If all of those things are true in an iPhone app, how is OAuth superior in any way to basic authentication from a security standpoint? Furthermore, given having to introduce a foreign UI element and extra authentication steps over the web, could OAuth even be considered inferior when evaluated as a whole as an authentication means for the iPhone, when app branding, integration, and ease of use are considered? Mind you, the purpose of this post is not in any way to incite a religious war or stir the pot, it is to definitively establish the true pros and cons of each authentication means within the specific use case of the iPhone only. Many of the other OAuth / Basic auth threads are somewhat overridden with personally charged statements that I'd rather ignore them. Anyway, your constructive views are most appreciated. Regards, Brad
[twitter-dev] Re: OAuth vs. Basic authentication strictly on iPhone
Srikanth, By third party i meant some one like 'TwitViewer' (some one who would pay and register their app in appstore and trick the users to believe in them but who do not work the way they were expected to ) That's not a valid use case for faulting the authentication mechanism. The user has already demonstrated an explicit level of trust in the app. That's like saying that if you carelessly trusted someone with your ATM pin number prior to them performing a fraudulent transaction with your ATM card, that it is the ATM machine's fault. It isn't. The problem there is that you trusted a source you shouldn't have. Same thing with executable files containing viruses sent to you via email -- if you choose to run a rogue executable on your computer, it isn't the computer's fault for running it. It is the user's fault for running the executable. NO. With OAuth you are not keying in your password with in the app. No? How is it then that you initially get logged into Twitter -- yes, it might be a Twitter web page, but it is still hosted within your app, right? So whose to say the web page you are viewing is *really* an OAuth page, if you aren't going to trust the app? OAuth doesn't protect from that. Now assume your third party app is legitimate and supports basic auth and is storing password. If some one steals your iphone he could use your password (doesnt matter whether it is stored encrypted) as well as your app to post/delete tweets. With OAuth it is limited posting/deleting tweets. This is not to say that Oauth solves all the problems of storing passwords.(It has its own problems of storing consumer secrets) You ignored one of my assumptions, which is that passwords aren't stored at all. If basic authentication is used, and passwords are never stored, it doesn't matter if someone steals your iPhone, they cannot get access to your Twitter account. With OAuth, they would still have a degree of access to it, unless I'm missing something. Brad On Aug 11, 2009, at 10:33 AM, srikanth reddy wrote: By third party i meant some one like 'TwitViewer' (some one who would pay and register their app in appstore and trick the users to believe in them but who do not work the way they were expected to ) You are still keying in your password within the app, in code that the developer of this so-called rogue app developed. NO. With OAuth you are not keying in your password with in the app. the developer could still intercept keyboard events and capture your password that way. I have to agree with this particularly for desktop apps (But app store admins catch this.) That said, it seems that the real danger on the iPhone is storing a password, not having the device as a whole password protected, and then losing your device. Someone can then go into your phone, and Twitter related app, and have direct access to your account (which I believe would still be a danger with OAuth tokens). Now assume your third party app is legitimate and supports basic auth and is storing password. If some one steals your iphone he could use your password (doesnt matter whether it is stored encrypted) as well as your app to post/delete tweets. With OAuth it is limited posting/deleting tweets. This is not to say that Oauth solves all the problems of storing passwords.(It has its own problems of storing consumer secrets) If you are not storing password then basic auth over https from a trusted app is absolutely fine. Personally i believe OAuth does not have much to offer for desktop apps.The debate goes on. Sooner or later twitter is going to remove basic auth support. We have no choice but to move on. On Tue, Aug 11, 2009 at 8:27 PM, Bradley S. O'Hearne brad.ohea...@gmail.com wrote: Srikanth, Thank you for your thoughts -- good ones. Responses: snip But what if the app was developed by some thirdparty devs? you never know whether the password is stored or logged some where. /snip I'm not sure who the third party is relative to -- if you are the user of an iPhone app, *every* app was developed by a third party. If you are the developer of the app, and you are worried about development you've farmed out to a third party, well, that's not an authentication issue -- that's a personnel / business problem. You shouldn't be publishing code which you aren't aware of what it does. I made reference to this in another thread, but when a user voluntarily downloads an iPhone app and puts it on their device, and then runs it, they've explicitly demonstrated a level of trust for that app. If they are concerned about it being a rogue app, then downloading the app, putting it on their device, and running it seems inconsistent with a true concern about it being a rogue app. But furthermore, let's assume there was some concern about password entry -- I do not see how OAuth saves you at all. You are still
[twitter-dev] Re: OAuth vs. Basic authentication strictly on iPhone
JDG, Why would it be hosted in your app? Why can't you open Safari? The ideal usage pattern in an application is not to leave the application. Opening Safari requires exiting the current application. Opening a UIWebView within your application is the way to go. Brad On Aug 11, 2009, at 12:58 PM, JDG wrote: Why would it be hosted in your app? Why can't you open Safari? On Tue, Aug 11, 2009 at 13:29, Bradley S. O'Hearne brad.ohea...@gmail.com wrote: Srikanth, By third party i meant some one like 'TwitViewer' (some one who would pay and register their app in appstore and trick the users to believe in them but who do not work the way they were expected to ) That's not a valid use case for faulting the authentication mechanism. The user has already demonstrated an explicit level of trust in the app. That's like saying that if you carelessly trusted someone with your ATM pin number prior to them performing a fraudulent transaction with your ATM card, that it is the ATM machine's fault. It isn't. The problem there is that you trusted a source you shouldn't have. Same thing with executable files containing viruses sent to you via email -- if you choose to run a rogue executable on your computer, it isn't the computer's fault for running it. It is the user's fault for running the executable. NO. With OAuth you are not keying in your password with in the app. No? How is it then that you initially get logged into Twitter -- yes, it might be a Twitter web page, but it is still hosted within your app, right? So whose to say the web page you are viewing is *really* an OAuth page, if you aren't going to trust the app? OAuth doesn't protect from that. Now assume your third party app is legitimate and supports basic auth and is storing password. If some one steals your iphone he could use your password (doesnt matter whether it is stored encrypted) as well as your app to post/delete tweets. With OAuth it is limited posting/deleting tweets. This is not to say that Oauth solves all the problems of storing passwords.(It has its own problems of storing consumer secrets) You ignored one of my assumptions, which is that passwords aren't stored at all. If basic authentication is used, and passwords are never stored, it doesn't matter if someone steals your iPhone, they cannot get access to your Twitter account. With OAuth, they would still have a degree of access to it, unless I'm missing something. Brad On Aug 11, 2009, at 10:33 AM, srikanth reddy wrote: By third party i meant some one like 'TwitViewer' (some one who would pay and register their app in appstore and trick the users to believe in them but who do not work the way they were expected to ) You are still keying in your password within the app, in code that the developer of this so-called rogue app developed. NO. With OAuth you are not keying in your password with in the app. the developer could still intercept keyboard events and capture your password that way. I have to agree with this particularly for desktop apps (But app store admins catch this.) That said, it seems that the real danger on the iPhone is storing a password, not having the device as a whole password protected, and then losing your device. Someone can then go into your phone, and Twitter related app, and have direct access to your account (which I believe would still be a danger with OAuth tokens). Now assume your third party app is legitimate and supports basic auth and is storing password. If some one steals your iphone he could use your password (doesnt matter whether it is stored encrypted) as well as your app to post/delete tweets. With OAuth it is limited posting/deleting tweets. This is not to say that Oauth solves all the problems of storing passwords.(It has its own problems of storing consumer secrets) If you are not storing password then basic auth over https from a trusted app is absolutely fine. Personally i believe OAuth does not have much to offer for desktop apps.The debate goes on. Sooner or later twitter is going to remove basic auth support. We have no choice but to move on. On Tue, Aug 11, 2009 at 8:27 PM, Bradley S. O'Hearne brad.ohea...@gmail.com wrote: Srikanth, Thank you for your thoughts -- good ones. Responses: snip But what if the app was developed by some thirdparty devs? you never know whether the password is stored or logged some where. /snip I'm not sure who the third party is relative to -- if you are the user of an iPhone app, *every* app was developed by a third party. If you are the developer of the app, and you are worried about development you've farmed out to a third party, well, that's not an authentication issue -- that's a personnel / business problem. You shouldn't be publishing code which you aren't aware of what it does. I made reference to this in another thread, but when a user voluntarily
[twitter-dev] Re: OAUTH: Basic Auth is simpler/more reliable/more secure/better received than OAuth!?
Christopher, It is good to see that someone understands the bigger picture here. This conversation suffers from a presumption of a specific use-case (web application communicating with Twitter), and a particular presumption of trust, or lack thereof. The particular comments such as: You can lead a horse to water ... and This is not rocket science. pretty much demonstrate a very narrow contextual view, in which their view might make sense, but outside of which it does not. Restated, this is optimistic thinking from the perspective of their particular use case, and ignores the perspective of either other use cases, and overlooks someone trying to exploit a security vulnerability. To my knowledge, and certainly in this conversation, OAuth is being touted as an across-the-board superior security approach for ALL use cases. Having spent the better part of the last two and half years doing secure data storage development far more complex than that of just authorization, but also securing the payloads across an entire cloud and desktops, and the network as a whole, my comments here are simply to see the claim of OAuth being undisputably superior supported with fact against legitimate breach points. I'll give an example. My personal development use case for security is communicating with Twitter from an iPhone app. Applying the same broad brush you wouldn't give your data to a complete stranger comments to the iPhone, your complete stranger here is the iPhone app you are using. So effectively, your complete stranger assertion maps to the following: 1) You've downloaded an app from the App Store with the intention of using it for communicating with Twitter, yet it is considered a complete stranger, and untrusted. 2) You use the app, and explicitly initiate communication to Twitter within this very complete stranger. This complete stranger assertion is absurd. First, you haven't treated the iPhone app like a complete stranger. You explicitly downloaded (and likely paid money) to explicitly put this application on your phone. Furthermore, it doesn't really matter if you pull up the OAuth login page within your iPhone app. That complete stranger iPhone app could capture keyboard events and/or filter EVERYTHING you send across the wire prior to any encryption being applied. Furthermore, even if OAuth itself isn't breached, as soon as your token is acquired, what's to prevent the app from then going absolutely haywire with your account, posting malicious status, following / blocking who it chooses, etc.? Furthermore, all of the other apps comments don't directly apply -- every app on the iPhone is sandboxed, which protects it from any other app tampering or accessing data. The only breach of this, of course, is jailbreaking, but then again this is analogous to someone hacking and owning the desktop you are browsing on, in which case OAuth is no protection again. The variance for desktop apps is that they aren't sandboxed away from other apps on the machine, but other than that, most of this all applies to that environment too. Unless other information surfaces, Christopher, best I can tell, you are spot on. OAuth seems particularly relevant to web applications, and relevant to desktop and iPhone apps primarily if your desktop / iPhone are NOT password protected, and the application in question has stored credentials, and you either lose or have stolen your desktop / iPhone. In conclusion, addressing one last example of ATM cards and pins -- you picked the safe example. A credit card is far less safe than all of this, because lose one of those, and the finder is on a shopping spree, no ID or pin required. And I'd bet 99% of this mailing list, including the OAuth devotees, carry a credit card, and don't think twice about the fact that they are one hole in their pocket away from receiving a truckload of Shamwow's delivered to their house. Regards, Brad On Jul 31, 2009, at 7:41 AM, Christopher St John wrote: On Thu, Jul 30, 2009 at 6:07 PM, Bradley S. O'Hearnebrad.ohea...@gmail.com wrote: I really want to hear stated, or read on a FAQ, is the pre-requisite security trust, that in that scenario, it necessarily makes OAuth superior to basic authentication. The problem here is that you're paying attention, instead of just accepting oauth is better because it is! statements :-) For desktop apps (and in any case where the application has has control of the UI and/or your computer) OAuth has no security advantage (since the app can snoop the interaction) I'm sure bad people are working on a way to make this true in browser apps as well, but I don't know of any examples. For web applications, many commentators acknowledge an increased risk of phishing as a potential problem with OAuth, although I haven't personally read any studies that indicate whether it's a theoretical or practical
[twitter-dev] Re: OAUTH: Basic Auth is simpler/more reliable/more secure/better received than OAuth!?
All, Just a question along the same lines as Dmitriy's, and forwarding no opinion one way or the other -- but I'm curious, as security discussions often end up being debates about one particular facet of a security scheme while not considering the big picture. What is the breach that OAuth is primarily concerned with here? Granted that in principle one doesn't want to be throwing passwords around, but I see two concerns: 1. Passwords being intercepted as sent across the wire. Comment: If credentials have to be passed over the wire to authenticate a session, doesn't HTTPS really alleviate this concern? In order to breach HTTPS you'd have to either crack the encryption, or spoof the Twitter endpoint and support it by somehow spoofing the certificate authority chain. And if someone could do this, then OAuth is no safeguard, because they could do the same with whatever app or session token is the key to the city. 2. Passwords being stored locally. Comment: The application integrating with Twitter is already effectively trusted, so the concern should not be with the app itself. The concern here would be other apps or people being able to grab passwords off of disk where stored. Again, I think this goes back to encryption. If all credentials are encrypted locally, then again, the concern becomes the breaking of encryption, and if that is done, then again whatever app or session token represents the key to the city can be acquired to use in OAuth too, if I'm not mistaken. Now admittedly, I haven't gone through OAuth with a fine-toothed comb, but I have read the docs and examined the process. If I'm not mistaken, OAuth doesn't alleviate authentication, it just puts the actual username and password out of the regular communication and need to be stored locally, but replaces it with an alternative token, which does need to be stored locally, and passed across the wire. That token now becomes the key to the city, no? In conclusion, as I've been reading this thread, the thing I keep coming back to is that OAuth vs. Basic Auth seems somewhat a secondary argument -- the real issue is encrypting over the wire (HTTPS) and encryption on disk, and whether those can be cracked (or are being used as they should). From a developer standpoint, given that the cracking of encryption seems outside the scope of concerns with the Twitter API, what is analog is which one serves the user better -- and I think it is clear that the Basic Auth case has fewer steps and quicker to the result. Please correct my misperceptions if I'm wrong, as I'd love to hear what details I've overlooked. Regards, Brad On Jul 30, 2009, at 1:29 AM, Dmitriy V'jukov wrote: On Jul 28, 3:27 pm, chinaski007 chinaski...@gmail.com wrote: I suppose this is not so weird. Users are accustomed to giving user/ pass information even to foreign apps. Agree. Anyway, if user just setups desktop app to his computer, he already gives it much more than just login/password to some service. And then there is 1000 and 1 way how app can then get all needed info passing over user. -- Dmitriy V'jukov
[twitter-dev] Preventing Twitter from interpreting @ characters
Hello all, I am trying to post a URL to a Twitter status that has a @ character in it. The problem is probably obvious -- anyone know how to prevent Twitter from interpreting the @ as a username? Thanks, Brad
[twitter-dev] Re: OAUTH: Basic Auth is simpler/more reliable/more secure/better received than OAuth!?
Duane, I understand the concern. But I think the conversation is moving closer to the actual issue. Your example of turning Twitter credentials to a stranger basically makes the application (or computer) that the user has already willfully chosen to use a complete stranger. I would debate that is necessarily the case, but let's for the moment assume it is the case, and see the problem with that assumption. In that case, OAuth *still* requires production of credentials to a complete stranger. Because it supposedly redirects to the Twitter web site for authentication doesn't save you from the either originating web site, the browser, or the machine itself spoofing the redirect -- I mean you've already labeled them a complete stranger, so you have to allow now for that possibility. Additionally, that login directly into Twitter also doesn't save you from keyboard logging or phishing on the machine -- or, and I'm not 100% sure on this one but I think it is possible, malicious browser plugins. So here we get into the issue of not just a single trusted / non-trusted app, but whether it is a trusted box or not. Perhaps I'm still ignorant, but unless I've completely missed the boat, credentials are still being produced -- i mean, at some point they have to be, otherwise they wouldn't be credentials, something else would be. I think what I'm really responding to here is the lack of context given to discussions surrounding OAuth's security -- there are blanket statements being made about not giving a stranger passwords, and OAuth somehow solving that. Well, that stranger happens to be the machine you've chosen to trust. Just because OAuth exists, it doesn't make Twittering or accessing Twitter data from Facebook on an Internet Cafe computer any safer necessarily. There is a degree of trust somewhere that is being trusted as a beginning prerequisite. I do not believe there is a no-trust scenario here. What I really want to hear stated, or read on a FAQ, is the pre-requisite security trust, that in that scenario, it necessarily makes OAuth superior to basic authentication. Brad On Jul 30, 2009, at 11:52 AM, Duane Roelands wrote: Brad, Encryption on disk and encryption over the wire are not the issues and really don't have very much to do with the Basic vs. OAuth decision. The most important issue I see is that Basic Auth requires you to give your Twitter credentials to a person you do not know. This is a BAD IDEA. Basic Auth is great for prototyping and testing and getting the core functionality of your app working, but at some point you should bit the bullet and implement OAuth. It's better for your customers (security) and it's better for you because your customers can use your application with peace of mind. If YOU wouldn't hand over YOUR Twitter credentials to a stranger, it's silly to expect your users to do so. On Jul 30, 11:40 am, Bradley S. O'Hearne brad.ohea...@gmail.com wrote: In conclusion, as I've been reading this thread, the thing I keep coming back to is that OAuth vs. Basic Auth seems somewhat a secondary argument -- the real issue is encrypting over the wire (HTTPS) and encryption on disk, and whether those can be cracked (or are being used as they should). From a developer standpoint, given that the cracking of encryption seems outside the scope of concerns with the Twitter API, what is analog is which one serves the user better -- and I think it is clear that the Basic Auth case has fewer steps and quicker to the result. Please correct my misperceptions if I'm wrong, as I'd love to hear what details I've overlooked. Regards, Brad On Jul 30, 2009, at 1:29 AM, Dmitriy V'jukov wrote: On Jul 28, 3:27 pm, chinaski007 chinaski...@gmail.com wrote: I suppose this is not so weird. Users are accustomed to giving user/ pass information even to foreign apps. Agree. Anyway, if user just setups desktop app to his computer, he already gives it much more than just login/password to some service. And then there is 1000 and 1 way how app can then get all needed info passing over user. -- Dmitriy V'jukov
[twitter-dev] Re: ASP .NET Development Issue w/OAuth Callback Parameter
Hello Abraham, Thanks for helping me out. I was using a different code before and then I used your code and it works like a charm. Thanks for making that code so simple. regards R On Mon, Jul 27, 2009 at 4:10 PM, Abraham Williams 4bra...@gmail.com wrote: Are you adding oauth_callback to the oauth/request_token call? Along with the request_token you should be getting an oauth_callback_confirmed=true. Passing a callback url with a user when they go to authorize access does not work anymore: http://groups.google.com/group/twitter-api-announce/browse_frm/thread/472500cfe9e7cdb9?hl=en Abraham On Mon, Jul 27, 2009 at 15:49, mattarnold1977 matt.arnold.1...@gmail.comwrote: I've been able to create a successful web request to receive an auth token from Twitter. However, Twitter is not sending me back to my development environment even though I have put the oauth_callback parameter on my request. It even shows my call back parameter in the URL on the Twitter oAuth authentication page. I'm wondering if anyone else is using VS 08 (ASP .NET) as their development environment and were able to successfully get the oAuth call back parameter to redirect back to their development environment? -Matt -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private.
[twitter-dev] Re: oAuth .NET receiving Unauthorized Error (401)
Matt, Try to register a new application for your development environment. I know it sounds not smart, but I guess it is a simple way to achieve. I think twitter did the same to me , when I tired to change the call back url. regards R On Sun, Jul 26, 2009 at 1:50 PM, mattarnold1977 matt.arnold.1...@gmail.comwrote: Andy, That was it! Sorting my parameters did the trick. After that I was able to successfully post a web request to Twitter's OAuth request token URL. Now, the next problem. I'm working in a development environment and I can not get the call back argument to work correctly. I've added it as a parameter in my web request and you can see it in the URL when logging into Twitter to get the token. But, Twitter just returns me back to my application that I registered with them (not my development environment that I've setup in my call back argument). -Matt On Jul 26, 4:55 am, Andrew Badera and...@badera.us wrote: On Sat, Jul 25, 2009 at 6:46 PM, mattarnold1977 matt.arnold.1...@gmail.comwrote: Bojan, Thanks for the reply. I'm using ASP .NET. -Matt I suspect Bojan was more curious about what OAuth library you're using. If you're doing it on your own, allow me to suggest DotNetOpenAuth instead. Also, are you sorting your parameters correctly? Non-alphabetized sort of parameters prior to signing will give you a 401. Thanks- - Andy Badera - and...@badera.us - Google me:http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private
[twitter-dev] Invalid consumer
Hello All, When I am trying to access twitter with oauth ( I am trying the php code from oauth.net ) , I enter the endpoint, consumer key and consumer secret , but I end up getting this next page which doesnot generate any token. Instead it says Invalid consumer OAuthRequest Object ( [parameters:private] = Array ( [oauth_consumer_key] = . [oauth_nonce] = .. [oauth_signature] = .= [oauth_signature_method] = HMAC-SHA1 [oauth_timestamp] = 1248730389 [oauth_version] = 1.0 ) [http_method:private] = GET [http_url:private] = http://example.com:80/example/request_token.php?oauth_consumer_key=...oauth_nonce=...oauth_signature=3Doauth_signature_method=HMAC-SHA1oauth_timestamp=1248730389oauth_version=1.0 [base_string] = ) I am not sure why it doesnot generate any token. Code can be found at http://oauth.googlecode.com/svn/code/php/ Please help me.. thanks regards R
[twitter-dev] Re: ASP .NET Development Issue w/OAuth Callback Parameter
I am trying hard but not able to generate token. I am using the code from http://oauth.googlecode.com/svn/code/php/ and I am using it on my test server. But for some reason it is always giving me invalid consumer ___ OAuthRequest Object ( [parameters:private] = Array ( [oauth_consumer_key] = buWIzbM7RPf1CNM3wlpZhg [oauth_nonce] = [oauth_signature] = = [oauth_signature_method] = HMAC-SHA1 [oauth_timestamp] = 1248735987 [oauth_version] = 1.0 ) [http_method:private] = GET [http_url:private] = http://com:80/example/request_token.php?oauth_consumer_key=buWIzbM7RPf1CNM3wlpZhgoauth_nonce=01ae9584f72ed7b72e5b3bf7da503802oauth_signature=VCCIt4nNFKZn6wXhh6OEXwCoc4Y%3Doauth_signature_method=HMAC-SHA1oauth_timestamp=1248735987oauth_version=1.0 [base_string] = ) I am not able to figureout where I am going wrong . Please please help R On Mon, Jul 27, 2009 at 4:10 PM, Abraham Williams 4bra...@gmail.com wrote: Are you adding oauth_callback to the oauth/request_token call? Along with the request_token you should be getting an oauth_callback_confirmed=true. Passing a callback url with a user when they go to authorize access does not work anymore: http://groups.google.com/group/twitter-api-announce/browse_frm/thread/472500cfe9e7cdb9?hl=en Abraham On Mon, Jul 27, 2009 at 15:49, mattarnold1977 matt.arnold.1...@gmail.comwrote: I've been able to create a successful web request to receive an auth token from Twitter. However, Twitter is not sending me back to my development environment even though I have put the oauth_callback parameter on my request. It even shows my call back parameter in the URL on the Twitter oAuth authentication page. I'm wondering if anyone else is using VS 08 (ASP .NET) as their development environment and were able to successfully get the oAuth call back parameter to redirect back to their development environment? -Matt -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private.
[twitter-dev] Re: Freelance Twitter API Dev directory?
Hello, Please also add me to the list. Real name: Alexey Papulovskiy Twitter: @nullwaver Website with examples: http://huitter.com On 29 апр, 03:56, Mike Lewis mikelikes...@gmail.com wrote: Hi, Please add me to the list Real Name: Mike Lewis Twitter Username: @mikelikespie Email: m...@narwhalconsulting.com Web page:http://narwhalconsulting.com Example: tweeptracker.com Consulting firm out of SF bay area. Expertise in Python, Pylons, Postgres, REST API's, OAuth, AJAX, Flex, Javascript, C, etc. Cheers, Mike On Mar 12, 2:24 pm, Ollie olliedud...@googlemail.com wrote: Can I be added to the list please? Real Name: Ollie Parsley Twitter Username: @ollieparsley Email: ol...@ollieparsley.com Freelance PHP developer based in Dorset, UK. Have quite a bit of experience with the Twitter APIs for bespoke web apps using PHP/MySQL. Done a fair bit of .NET with Oracle too. http://footytweets.comhttp://twitterleague.comhttp://h1debate.com Thanks Ollie
[twitter-dev] Re: Consistent 502 errors for users with large friend follower lists
Where can I find an opne sources that only picks up Twitter users pictures linked to their profiles? Thanks.