It seems as though revealing the Consumer Key and Consumer Key Secret
of my application would be a pretty serious security risk. Anyone
could write an application that impersonates mine, but they still
would need an authorized user's Token and Token Secret in order to
commit mischief.
What sort
If you're asking what data type should you use to store these value,
I'm using the .NET Int64 type in my library. The Int64 value type
represents integers with values ranging from negative
9,223,372,036,854,775,808 through positive 9,223,372,036,854,775,807.
I was seeing occasional overflows usin
So is this wrong if I save the image and user details locally (on our
server) ?
Also, how would it be possible to get the users profile pic at
http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show
using ?
At current it only returns _normal.jpg, which is set at 43x43. I need
the
hmmm
On Jun 30, 10:45 pm, Abraham Williams <4bra...@gmail.com> wrote:
> Twitter has said in the past they are more then willing to take care
> of the bandwidth for smaller applications but if you go huge they ask
> you to look at local caching.
>
>
>
> On Tue, Jun 30, 2009 at 08:12, Philip Plante
Hello,
I’m using the oauth/authenticate method (one click login) and I was
wondering if I had to check the "Use Twitter for login" option in my
application options. The application is Browser based (using a
callback URL) .
I’m quite confused with this option as I don’t really understand what
it
Right - I am not scraping the PIN? I am using the web browser in .NET
(which is similar to Internet Explorer)
to authenticate via a pin and username / password credentials.
The only part of the workflow I do not follow is opening the URL in IE
- I open in it VB.NET Web Browser.
But - my user ha
You should use an unsigned 64 bit int for status and user ids to be
safe. IDs will never be negative, so a signed value is wasted space.
On Jul 1, 6:28 am, DWRoelands wrote:
> If you're asking what data type should you use to store these value,
> I'm using the .NET Int64 type in my library. Th
Did I state otherwise?
You are not reading my words - you are being blinded by the noise from
your own head.
What I stated is this;
I authenticate my VB.NET web browser via PIN etc
THIS means my browser is authenticated.
If I try to access a page via the program with a TCP Client - I have
to
On Wed, Jul 1, 2009 at 07:00, Obrzut wrote:
> The library is faulty. It does not process leading zero pins.
>
> The OAuth implementation is stupid - because it does not authenticate
> an program but a TCP method.
>
> Hence, you guys are s off the mark here it hurts me to talk to
> you.
>
> Rea
I do not feel you've made a mountain out of a mole hill here. This
topic has been on my mind since I first encountered oAuth. I haven't
seen any open source apps use oAuth yet.
We have an open source application called Application X. The
potential risk is that Application X becomes widely adop
2009/7/1 Obrzut :
>
> Did I state otherwise?
>
> You are not reading my words - you are being blinded by the noise from
> your own head.
>
> What I stated is this;
>
> I authenticate my VB.NET web browser via PIN etc
>
> THIS means my browser is authenticated.
>
> If I try to access a page via the
If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/
core/1.0#anchor4) states it pretty plainly:
"Service Providers SHOULD NOT rely on the Consumer Secret as a method
to verify the Consumer identity, unless the Consumer Secret is known
to be inaccessible to anyone other than the
The secret should not reside in code. The secret should reside in a
config file, or maybe even a machine datastore. Abstract it out, no
one ever needs to see anything secret in your code.
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This ema
The worst that happens if you publish the consumer tokens in an
opensouce app is someone malicious uses it to abuse Twitter and the
consumer token gets banned. At which point you regenerate a new one
and push a new version of the app. The cycle may or may not start
again depending on the malicious
Obrzut:
My application does exactly what you say is impossible. The user
authenticates via the web browser, then my desktop application
completes the process using the six-digit PIN.
There's no need to "fix" any XML that comes from Twitter, and there's
no need to process any HTML from a web page
That's not correct. Updates posted to Twitter via Basic Auth always
appear with a source of "From Web" (unless the application in question
was "grandfathered in"). Otherwise, it's not possible to impersonate
another application via Basic Auth.
On Jul 1, 9:34 am, Abraham Williams <4bra...@gmail.
True. But I'm pretty sure that there are more active grandfathered
sources then OAuth sources. And it takes nothing to create a new OAuth
application that has the same source as an existing OAuth application
but with only a slightly different name.
Abraham
On Wed, Jul 1, 2009 at 08:39, DWRoeland
True, but none of that addresses the central points that I'm trying to
make:
1. The OAuth Core documentation says that providers should not rely on
the Consumer Secret to identify consumers.
2. Twitter's implementation of OAuth appears to do exactly what the
OAuth Core documentation says not to d
Might sorta work on webapps, or maybe desktop compiled code (assuming
the config is compiled in at build time), but that doesn't help for
desktop apps written in interpreted langs, where all source code and
configs would be easily viewable (although I could imagine some
initial setup stuff where i
Andrew,
The Consumer Secret is the key that has to be associated with my
application so that it can authenticate to Twitter. Regardless of how
I distribute it, I still have to distribute it with the source code in
order for the source code to work.
No amount of abstraction will prevent someone
> The secret should not reside in code. The secret should reside in a
> config file, or maybe even a machine datastore. Abstract it out, no
> one ever needs to see anything secret in your code.
That's not workable. It has to be publicly accessible somehow.
--
---
Yes, but don't distribute it. Obviously config files are human
readable, but you blank out secrets before publishing them.
People using open source libraries will have to get their own keys.
So, either you really are contributing in the spirit of open source,
and you don't care about getting cred
Hi Arnaud,
That option during application creation is really more trouble
that it is worth. Right now applications that have that option checked
include an extra sentence to tell users the application will be using
twitter for login, that's all. In the future we may restrict the /
oau
> Yes, but don't distribute it. Obviously config files are human
> readable, but you blank out secrets before publishing them.
>
> People using open source libraries will have to get their own keys.
> So, either you really are contributing in the spirit of open source,
> and you don't care about
There's a difference between sending out an open source library and an open
source APPLICATION, which requires a key be used for identification and
source.
On Wed, Jul 1, 2009 at 08:48, Andrew Badera wrote:
>
> Yes, but don't distribute it. Obviously config files are human
> readable, but you bl
Andrew,
I'm not talking about a -library-. I'm talking about a -client-. If
I want to produce a Twitter client, it needs its own Consumer Key and
Consumer Key Secret. If want to share the source code for that
client, I will also have to share it's Consumer Key and Consumer Key
Secret.
You see
> The worst that happens if you publish the consumer tokens in an
> opensouce app is someone malicious uses it to abuse Twitter and the
> consumer token gets banned. At which point you regenerate a new one
> and push a new version of the app. The cycle may or may not start
> again depending on the
Not what I said in the least, but it's interesting that you should
interpret it that way.
Re-read what I said.
If someone is open sourcing something, in the true spirit of open
source, they shouldn't care about getting credit in the source
parameter.
Thanks you and good night, I'm here all week
> Not what I said in the least, but it's interesting that you should
> interpret it that way.
>
> Re-read what I said.
>
> If someone is open sourcing something, in the true spirit of open
> source, they shouldn't care about getting credit in the source
> parameter.
Tell that to Richard Stallma
Andrew,
This isn't about credit in the source parameter. It's about
application security.
Twitter has stated that Basic Auth will eventually be deprecated.
OAuth will eventually be the only method of authentication available.
When that happens, developers of open source clients will be forced t
On Jul 1, 2009, at 5:10 AM, Philip Plante wrote:
I do not feel you've made a mountain out of a mole hill here. This
topic has been on my mind since I first encountered oAuth. I haven't
seen any open source apps use oAuth yet.
We have an open source application called Application X. The
po
No one's snarking, but again, interesting you would interpret it that way.
Open source all you want, each person deploying an instance will have
to get their own keys. What's so tough about that?
On Wed, Jul 1, 2009 at 11:07 AM, DWRoelands wrote:
>
> Andrew,
>
> This isn't about credit in the
Wow, so that's what our development list (and Stallman's name) have
come to. Please don't make me close this thread. Let's keep is
friendly and focused.
— Matt
On Jul 1, 2009, at 8:01 AM, Cameron Kaiser wrote:
Not what I said in the least, but it's interesting that you should
interpret
Amen and thank you Matt.
On Wed, Jul 1, 2009 at 11:09 AM, Matt Sanford wrote:
>
>
> On Jul 1, 2009, at 5:10 AM, Philip Plante wrote:
>
>>
>> I do not feel you've made a mountain out of a mole hill here. This
>> topic has been on my mind since I first encountered oAuth. I haven't
>> seen any op
If you force datatyping to alpha, six chars, this will be a nonproblem
Sent from my iPhone
On Jul 1, 2009, at 8:00 AM, Obrzut wrote:
>
> Did I state otherwise?
>
> You are not reading my words - you are being blinded by the noise from
> your own head.
>
> What I stated is this;
>
> I authentic
A technical solution I see working is a modified PIN flow where
instead of a 6 digit PIN the user gets a 20 character token that acts
as consumer token. No harder then using PIN flow but each desktop
install would have a unique consumer sub token that could still be
tied into the global consumer t
Sounds like the assumption is that part of the keypair is in the
source. That is clearly a bad idea ... The software should obly
provide for processes and not ever content
Sent from my iPhone
On Jul 1, 2009, at 11:10 AM, Andrew Badera wrote:
No one's snarking, but again, interesting y
Nancy,
You're right - it is a bad idea. However, it appears to be the only
option that Twitter has left to open-source developers who wish to
implement OAuth. There doesn't seem to be any way around distributing
my application's Consumer Key Secret.
Regards,
Duane
On Jul 1, 11:17 am, Nancy M
The problem is that by everyone getting their own consumer keys, the source
parameter will be different for every person. Now, I'm not interested in
getting my name in lights in the Twitter world -- I could honestly care
less. That said, if I'm going to spend a significant portion of my time
creati
But that's the choice you're forced to make by OAuth, not Twitter. And
it is YOUR choice. Personally, I would probably use the conventional
mechanisms of open source: mailing lists, special interest and user
groups. Pound the pavement and promote yourself. Who said it was going
to be "easy"?
On
Actually, since Twitter has said that Basic Auth will eventually go
away, OAuth is going to be the only choice for authentication.
Twitter has forced the choice by implementing OAuth in the way that
they did.
Why should a user who chooses to support open source by using an open-
source Twitter cl
How difficult is it to, as part of the build, check for a key file, if
it doesn't exist, go to Twitter and do the stuff to get the tokens,
parse the tokens and save in the key file, and then continue on with
the build. Seems easy enuff.
-- Bruce
Sent from my iPhone
On Jul 1, 2009, at 8:23
Hello again,
I do not recommend having individual end users register for
consumer keys/secrets [1] under any circumstances. So, with that out
of the way, let us focus the discussion a bit more. What can we change
about OAuth that would make this better? A complete technical [2][3]
di
I'm not sure that Twitter exposes any API or web service that allows
you to programatically register a new application (which you need to
do to receive the Consumer Key and Consumer Key Secret).
Even if you could, that still requires the end user to compile the
source with a modified build proces
I think this got lost under all the mess:
On Wed, Jul 1, 2009 at 10:15, Abraham Williams<4bra...@gmail.com> wrote:
> A technical solution I see working is a modified PIN flow where
> instead of a 6 digit PIN the user gets a 20 character token that acts
> as consumer token. No harder then using PI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
DWRoelands wrote:
> Obrzut:
> My application does exactly what you say is impossible. The user
> authenticates via the web browser, then my desktop application
> completes the process using the six-digit PIN.
>
> There's no need to "fix" any XML tha
Mark,
Thanks for weighing in. Much appreciated. Here are my thoughts.
I see two separate issues here: User Authentication vs. Application
Authentication.
User Authentication: Ensuring that the Twitter user is who they say
they are.
Application Authentication: Ensuring that the Application is
I'm still not sure I understand the option. Is there any reason why
someone would choose NOT to check this box currently?
Also, if you are in the process of redesigning the auth page, could I
make a request:
Could there be a super-lightweight version for mobile? No images, no
scripts, i
Hi there,
A mobile version does not exist but it's on the roadmap.
— Matt
On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote:
I'm still not sure I understand the option. Is there any reason why
someone would choose NOT to check this box currently?
Also, if you are in the process of re
Matt,
Thanks for weighing in and hopefully taming this snarl. As the person
who might have posed the question originally, I figured I at least
owed a bit of constructive critique.
What can we change about OAuth that would make this better?
1) User experience - it's been echoed a number
Super!
Thanks,
Isaiah
YourHead Software
supp...@yourhead.com
http://www.yourhead.com
On Jul 1, 2009, at 10:23 AM, Matt Sanford wrote:
Hi there,
A mobile version does not exist but it's on the roadmap.
— Matt
On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote:
I'm still not sure I un
On a completely separate note, your website is stunning, did you
design it yourself? If not may I ask who were your designers.
All the best
Neil
http://www.peepwl.com
On 1 Jul 2009, at 20:22, Support wrote:
>
> Matt,
>
> Thanks for weighing in and hopefully taming this snarl. As the
> perso
On Jul 1, 2009, at 10:17 AM, DWRoelands wrote:
Mark,
Thanks for weighing in. Much appreciated. Here are my thoughts.
I see two separate issues here: User Authentication vs. Application
Authentication.
User Authentication: Ensuring that the Twitter user is who they say
they are.
Applicati
yep, just me,
thanks,
isaiah
p.s. subject changed to protect the on-topic folks. @isaiah for
more. ;-)
On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote:
On a completely separate note, your website is stunning, did you
design it yourself? If not may I ask who were your designers.
All the
I'm using the API and am trying to search for stocktwits (those tweets
which contain the string "$$" or "$" followed by a ticker symbol). I
can easily search for "$aapl" for example, and it works fine. But if I
search for "$$" the API never returns any results, so I must be
searching for it incorr
Hi Ryan,
The search.twitter.com system does not support $$ or a wild-card
for all stock symbols.
Thanks;
– Matt Sanford / @mzsanford
Twitter Dev
On Jul 1, 2009, at 1:49 PM, Ryan wrote:
I'm using the API and am trying to search for stocktwits (those tweets
which contain the stri
Yep my mistake, will contact you off line.
On 1 Jul 2009, at 20:38, Isaiah Carew wrote:
yep, just me,
thanks,
isaiah
p.s. subject changed to protect the on-topic folks. @isaiah for
more. ;-)
On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote:
On a completely separate note, your website is
Hope this is not out of line, but this list has been pretty busy
lately in traffic, and I am looking for a little hand holding on tweet
threading... so bump :)
On Jun 30, 2009, at 3:53 PM, Scott Haneda wrote:
I am finding near all apps I use with twitter in some way or another
fail at t
Thanks
On Jun 29, 3:10 am, Abraham Williams <4bra...@gmail.com> wrote:
> Pretty much.
> Usehttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show
> to get all their profile info.
>
>
>
> On Sat, Jun 27, 2009 at 09:11, Slicey wrote:
>
> > I'm building a site which allows a user to
Has there been any update or advance on how to keep Profile Images up
to date? They're driving my nuts, especially with the Iran green-
overlay nonsense.
-fs
On May 22, 12:36 pm, Ollie Parsley wrote:
> Haven't figured out caching yet. Thats on the agenda after a weekend
> break :)
>
> Ollie
>
Hello everyone
in my application i am trying to pull xml dataset using following link
http://search.twitter.com/search.atom?lang=en&rpp=150&q=+google
Problem is i cant get more than 100 results in the tables even though
i have given 150 rpp. can someone please explain why is that?
thanks
--
Ra
Thanks for your replay guys i menage to it using Published feild in XML
results.
i have another problem if you guys can help me there.
in my application i am trying to pull xml dataset using following link
http://search.twitter.com/search.atom?lang=en&rpp=150&q=+google
Problem is i cant get mo
Hello,
The maximum allowed value is 100. Check out the documentation at
http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search
Thanks;
— Matt Sanford / @mzsanford
On Jul 1, 2009, at 6:19 PM, Mehroz Raza wrote:
Thanks for your replay guys i menage to it using Published feild in
If you look at: http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search
You will find that rpp only supports up to 100.
Abraham
On Wed, Jul 1, 2009 at 20:17, Raza wrote:
>
> Hello everyone
> in my application i am trying to pull xml dataset using following link
>
> http://search.twitter.c
I saw on the API documentation the daily limit is 1000 per day. But it seems
its lower then that. Is it a %age based limit?
Thanks
Nayeem
Ok, great. I'll let it check, so.
By the way, OAuth is working like a charm here. Great job you did
there! I'm happy to have finally switched to it.
All the best,
Arnaud.
On Jul 1, 4:50 pm, Matt Sanford wrote:
> Hi Arnaud,
>
> That option during application creation is really more trouble
Take a look on the app I'm workig on, Twitoaster: http://twitoaster.com
The threading part is not that hard. Recursive function jumping from
parents to parents.
You should use the getMentions method, instead of hiting the search
API. You'll get the full object that way, so you won't have to use t
I was wondering how you get over the API limit doing this, I would
imagine you would hit it almost straight away (10 statuses with 10
replies would do it) as every reply will require a recursive status
request for every parent status?
Whitelisting helps a lot:
http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorerequestsperhour
On Thu, Jul 2, 2009 at 01:11, Coderanger wrote:
>
> I was wondering how you get over the API limit doing this, I would
> imagine you would hit it almost straight away (10 statuses with 10
Hi All,
Call back URL working fine if user allow to connect the
application, but callback url not working if user deny the
application.
How do I achieve this ?
-rag
The limits have not changed. We enforce the limits within hour intervals.
Could the behavior you witnessed be explained by this enforcement policy?
Thanks,
Doug
On Wed, Jul 1, 2009 at 8:10 PM, Developer In London
wrote:
> I saw on the API documentation the daily limit is 1000 per day. But it
>
If a user denys an OAuth application Twitter currently does not return
the user to the application or callback. There is no way to change
this.
Abraham
On Thu, Jul 2, 2009 at 01:30, rag twitter wrote:
>
> Hi All,
>
> Call back URL working fine if user allow to connect the
> application,
72 matches
Mail list logo