[twitter-dev] Re: Twitter4J 2.0.8-SNAPSHOT available - supports OAuth1.0a / PIN-based authentication
I'm not sure what to do with the PIN. I didn't see a clear place to add it (figured in the RequestToken, before calling for AccessToken). I grabbed the SNAPSHOT source, as well, and followed code through to HttpClient.getOAuthAccessToken.. Im guessing the pin should get added there as a POST param? On Jun 10, 10:10 am, Yusuke Yamamoto yus...@mac.com wrote: Hi all, A snapshot build of Twitter4J 2.0.8 is available.http://yusuke.homeip.net/hudson/job/Twitter4J/212/net.homeip.yusuke$t...http://yusuke.homeip.net/maven2/net/homeip/yusuke/twitter4j/2.0.8-SNA... This version supports PIN-based authentication shipped with OAuth1.0a.http://groups.google.com/group/twitter-api-announce/browse_frm/thread... There's no impact with OAuth1.0a on existing browser clients. But desktop clients using Twitter4J with OAuth authentication need to migrate to this version immediately in order to allow users to input pin upon Access Token retrieval. This is a snapshot build, however existing automated test cases passed successfully and it should be stable enough to put in production environments. Twitter4J 2.0.8 will be generally available in the maven central repository in a few days with small bug fixes. Thanks, -- Yusuke Yamamoto yus...@mac.com this email is: [x] bloggable/twittable [ ] ask first [ ] private follow me on :http://twitter.com/yusukeyamamoto subscribe me :http://yusuke.homeip.net/blog/
[twitter-dev] Re: Twitter4J 2.0.8-SNAPSHOT available - supports OAuth1.0a / PIN-based authentication
Hi, Yes, pin should be passed to the API as a post param. The *get* part of the method name *get*OAuthAccessToken() doesn't indicate that it uses GET method internally. It actually uses POST method to retrieve access tokens. see also: http://yusuke.homeip.net/twitter4j/en/javadoc/twitter4j/Twitter.html#getOAuthAccessToken(java.lang.String,%20java.lang.String,%20java.lang.String) Cheers, Yusuke On 7月4日, 午後3:08, alien9 alienjazz...@gmail.com wrote: I'm not sure what to do with the PIN. I didn't see a clear place to add it (figured in the RequestToken, before calling for AccessToken). I grabbed the SNAPSHOT source, as well, and followed code through to HttpClient.getOAuthAccessToken.. Im guessing the pin should get added there as a POST param? On Jun 10, 10:10 am, Yusuke Yamamoto yus...@mac.com wrote: Hi all, A snapshot build of Twitter4J 2.0.8 is available.http://yusuke.homeip.net/hudson/job/Twitter4J/212/net.homeip.yusuke$t.. This version supports PIN-based authentication shipped with OAuth1.0a.http://groups.google.com/group/twitter-api-announce/browse_frm/thread... There's no impact with OAuth1.0a on existing browser clients. But desktop clients using Twitter4J with OAuth authentication need to migrate to this version immediately in order to allow users to input pin upon Access Token retrieval. This is a snapshot build, however existing automated test cases passed successfully and it should be stable enough to put in production environments. Twitter4J 2.0.8 will be generally available in the maven central repository in a few days with small bug fixes. Thanks, -- Yusuke Yamamoto yus...@mac.com this email is: [x] bloggable/twittable [ ] ask first [ ] private follow me on :http://twitter.com/yusukeyamamoto subscribe me :http://yusuke.homeip.net/blog/
[twitter-dev] Re: Twitter4J 2.0.8-SNAPSHOT available - supports OAuth1.0a / PIN-based authentication
I see it now.. I was looking some other example, which actually used requestToken.getAccessToken( ), and figured your PIN modifications would occur there Then I just grepped for 'pin' in your code, found Twitter.getOAuthAccessToken(RequestToken, pin), and that works just fine :) Awesome Thank you!! congrats on baby too (saw your tweets :) On Jul 3, 11:30 pm, H12山本 裕介 yus...@mac.com wrote: Hi, Yes, pin should be passed to the API as a post param. The *get* part of the method name *get*OAuthAccessToken() doesn't indicate that it uses GET method internally. It actually uses POST method to retrieve access tokens. see also:http://yusuke.homeip.net/twitter4j/en/javadoc/twitter4j/Twitter.html#...) Cheers, Yusuke On 7月4日, 午後3:08, alien9 alienjazz...@gmail.com wrote: I'm not sure what to do with the PIN. I didn't see a clear place to add it (figured in the RequestToken, before calling for AccessToken). I grabbed the SNAPSHOT source, as well, and followed code through to HttpClient.getOAuthAccessToken.. Im guessing the pin should get added there as a POST param? On Jun 10, 10:10 am, Yusuke Yamamoto yus...@mac.com wrote: Hi all, A snapshot build of Twitter4J 2.0.8 is available.http://yusuke.homeip.net/hudson/job/Twitter4J/212/net.homeip.yusuke$t.. This version supports PIN-based authentication shipped with OAuth1.0a.http://groups.google.com/group/twitter-api-announce/browse_frm/thread... There's no impact with OAuth1.0a on existing browser clients. But desktop clients using Twitter4J with OAuth authentication need to migrate to this version immediately in order to allow users to input pin upon Access Token retrieval. This is a snapshot build, however existing automated test cases passed successfully and it should be stable enough to put in production environments. Twitter4J 2.0.8 will be generally available in the maven central repository in a few days with small bug fixes. Thanks, -- Yusuke Yamamoto yus...@mac.com this email is: [x] bloggable/twittable [ ] ask first [ ] private follow me on :http://twitter.com/yusukeyamamoto subscribe me :http://yusuke.homeip.net/blog/
[twitter-dev] Re: Security Best Practices
Hint: This isn't a dilemma for only open source developers. It's a real and serious problem for any application whose code (source or object) is accessible to anyone other than the application developer, i.e., any application that the user installs. It should take all of, what, a day, to create a list of the top 10 desktop Twitter apps and their corresponding consumer key and secret. It's all fun and games until someone discloses a secret. Then, it's just fun ... On 7/1/09 9:32 AM, Andrew Badera wrote: The secret should not reside in code. The secret should reside in a config file, or maybe even a machine datastore. Abstract it out, no one ever needs to see anything secret in your code. Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Wed, Jul 1, 2009 at 9:25 AM, DWRoelandsduane.roela...@gmail.com wrote: If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/ core/1.0#anchor4) states it pretty plainly: Service Providers SHOULD NOT rely on the Consumer Secret as a method to verify the Consumer identity, unless the Consumer Secret is known to be inaccessible to anyone other than the Consumer and the Service Provider. This is exactly what Twitter has done with the Consumer Secret; they rely on it to verify the Consumer identity. This is a thorny dilemma for open source developers. There's no way to share the source code without compromising your application's security, because you've got to include the Consumer Key Secret in the source. You can obfuscate and encrypt, but a malicious actor with access to the source code can simply step through the code until the Consumer Secret is exposed in plain text. In any event, what's done is done, and Twitter certainly isn't going to abandon OAuth at this point. But opening the source of my Twitter client seems to be out of the question if I want to use OAuth. On Jul 1, 8:10 am, Philip Plantepplante@gmail.com wrote: I do not feel you've made a mountain out of a mole hill here. This topic has been on my mind since I first encountered oAuth. I haven't seen any open source apps use oAuth yet. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Security Best Practices
I haven't done much real desktop OAuth, mostly web ... but can't you simply proxy the request through your own server, and keep the secret on your server, serving client requests centrally? Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Sat, Jul 4, 2009 at 4:56 AM, Dossy Shiobarado...@panoptic.com wrote: Hint: This isn't a dilemma for only open source developers. It's a real and serious problem for any application whose code (source or object) is accessible to anyone other than the application developer, i.e., any application that the user installs. It should take all of, what, a day, to create a list of the top 10 desktop Twitter apps and their corresponding consumer key and secret. It's all fun and games until someone discloses a secret. Then, it's just fun ... On 7/1/09 9:32 AM, Andrew Badera wrote: The secret should not reside in code. The secret should reside in a config file, or maybe even a machine datastore. Abstract it out, no one ever needs to see anything secret in your code. Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Wed, Jul 1, 2009 at 9:25 AM, DWRoelandsduane.roela...@gmail.com wrote: If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/ core/1.0#anchor4) states it pretty plainly: Service Providers SHOULD NOT rely on the Consumer Secret as a method to verify the Consumer identity, unless the Consumer Secret is known to be inaccessible to anyone other than the Consumer and the Service Provider. This is exactly what Twitter has done with the Consumer Secret; they rely on it to verify the Consumer identity. This is a thorny dilemma for open source developers. There's no way to share the source code without compromising your application's security, because you've got to include the Consumer Key Secret in the source. You can obfuscate and encrypt, but a malicious actor with access to the source code can simply step through the code until the Consumer Secret is exposed in plain text. In any event, what's done is done, and Twitter certainly isn't going to abandon OAuth at this point. But opening the source of my Twitter client seems to be out of the question if I want to use OAuth. On Jul 1, 8:10 am, Philip Plantepplante@gmail.com wrote: I do not feel you've made a mountain out of a mole hill here. This topic has been on my mind since I first encountered oAuth. I haven't seen any open source apps use oAuth yet. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] API to follow user
Hi, Is there an API to follow/unfollow the user ? Thanks, --rag
[twitter-dev] Re: API to follow user
Hi, Yes. friendships/createhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships%C2%A0create friendships/destroyhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships%C2%A0destroy friendships/existshttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships-exists friendships/showhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships-show I am using these in http://groups.twollo.com/ Paul 2009/7/4 rag twitter rag.twit...@gmail.com Hi, Is there an API to follow/unfollow the user ? Thanks, --rag
[twitter-dev] Re: API to follow user
hmm this is too fast, thanks. Will check that. Thanks Again :) --rag On Sat, Jul 4, 2009 at 3:32 PM, Paul Kinlan paul.kin...@gmail.com wrote: Hi, Yes. friendships/createhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships%C2%A0create friendships/destroyhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships%C2%A0destroy friendships/existshttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships-exists friendships/showhttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-friendships-show I am using these in http://groups.twollo.com/ Paul 2009/7/4 rag twitter rag.twit...@gmail.com Hi, Is there an API to follow/unfollow the user ? Thanks, --rag
[twitter-dev] Re: Security Best Practices
That's certainly a technical possibility. But I've got to create an authentication scheme for the users to log into my proxy. Then I have to set up hosting. Then I have to write a second application to handle the requests from my client and send the responses back. So simply is not an accurate characterization of what's required. Furthermore, it burdens the users with additional steps (authenticating to the proxy) that users of closed-source applications don't have to do. For my project, individual developers will simply have to register for their own tokens with Twitter. When I package binaries for end-user distribution, I'll compile the official keys into the app. It's not a great solution, but it will have to do. On Sat, Jul 4, 2009 at 5:30 AM, Andrew Badera and...@badera.us wrote: I haven't done much real desktop OAuth, mostly web ... but can't you simply proxy the request through your own server, and keep the secret on your server, serving client requests centrally?
[twitter-dev] Retrieving a list of followers and/or friends for an arbitrary user...
I can get a list of followers/friends for the current authenticated user, but I can't figure out how to do it for an arbitrary user. Does the API allow this? You can definitely do it even without being authenticated on the Twitter web site.
[twitter-dev] Re: place to discuss business of twitter apps
count me in too. my web host shut me down because I was puttting too much demand on the CPU. Now I've got to start making money from my app! On Jul 3, 8:00 am, João Pereira joaomiguel.pere...@gmail.com wrote: I'm also interested in discuss these things. let me now if you find something. On Fri, Jul 3, 2009 at 12:12 PM, Chris Prakoso brajamu...@gmail.com wrote: Peter, count me in. Chris On Thu, Jul 2, 2009 at 11:49 PM, Peter Denton petermden...@gmail.comwrote: Hey friends Does anyone have a space we can ask questions about the business of twitter apps? For example, if I have questions/concerns/theories about being in the business of building twitter apps, anyone know where to do this? I usually ask jazzychad 20-30 questions a day, but he hired a mod to filter my emails, so the response rate is getting too low. -Peter -- João Miguel Pereirahttp://jpereira.eu LinkedIn:http://www.linkedin.com/in/joaomiguelpereira joaomiguel.pere...@gmail.com (351) 96 275 68 58
[twitter-dev] Re: Retrieving a list of followers and/or friends for an arbitrary user...
Yes you can fetch list of followers and friends of any arbitrary user , see the link,. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-followers%C2%A0ids On Sat, Jul 4, 2009 at 4:27 PM, kmslogic kmslo...@gmail.com wrote: I can get a list of followers/friends for the current authenticated user, but I can't figure out how to do it for an arbitrary user. Does the API allow this? You can definitely do it even without being authenticated on the Twitter web site.
[twitter-dev] Re: place to discuss business of twitter apps
You asked for it.. Now you have it. http://groups.google.com/group/twitter-business-talk Regards, Dean Collins Cognation Inc d...@cognation.net +1-212-203-4357 New York +61-2-9016-5642 (Sydney in-dial). +44-20-3129-6001 (London in-dial). -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of davidzimm Sent: Saturday, July 04, 2009 9:40 AM To: Twitter Development Talk Subject: [twitter-dev] Re: place to discuss business of twitter apps count me in too. my web host shut me down because I was puttting too much demand on the CPU. Now I've got to start making money from my app! On Jul 3, 8:00 am, João Pereira joaomiguel.pere...@gmail.com wrote: I'm also interested in discuss these things. let me now if you find something. On Fri, Jul 3, 2009 at 12:12 PM, Chris Prakoso brajamu...@gmail.com wrote: Peter, count me in. Chris On Thu, Jul 2, 2009 at 11:49 PM, Peter Denton petermden...@gmail.comwrote: Hey friends Does anyone have a space we can ask questions about the business of twitter apps? For example, if I have questions/concerns/theories about being in the business of building twitter apps, anyone know where to do this? I usually ask jazzychad 20-30 questions a day, but he hired a mod to filter my emails, so the response rate is getting too low. -Peter -- João Miguel Pereirahttp://jpereira.eu LinkedIn:http://www.linkedin.com/in/joaomiguelpereira joaomiguel.pere...@gmail.com (351) 96 275 68 58
[twitter-dev] Re: Retrieving a list of followers and/or friends for an arbitrary user...
Perfect! Somehow the social graph section that friends/ids and followers/ids were in threw me and I didn't even check there (also there is another method to pull the list from the current authenticated user which is weird)
[twitter-dev] oAuth company name
Hey all, Not trying to ask the team an annoying question, but is there anything to keep me from typing in Microsoft Corp to company name in oAuth for an application registration? Someone asked me this and I thought I would ask the group. Is there going to be a validated account badge for apps? Thanks Peter
[twitter-dev] Re: oAuth company name
i think the only thing that would keep you would be a sternly-worded letter from Microsoft's legal team to both you and Twitter. On Sat, Jul 4, 2009 at 16:08, Peter Denton petermden...@gmail.com wrote: Hey all, Not trying to ask the team an annoying question, but is there anything to keep me from typing in Microsoft Corp to company name in oAuth for an application registration? Someone asked me this and I thought I would ask the group. Is there going to be a validated account badge for apps? Thanks Peter -- Internets. Serious business.
[twitter-dev] Re: Security Best Practices
On 7/4/09 5:30 AM, Andrew Badera wrote: I haven't done much real desktop OAuth, mostly web ... but can't you simply proxy the request through your own server, and keep the secret on your server, serving client requests centrally? Yes, yes you can - then you get to enjoy the Twitter rate limit issue and having to scale to accomodate concurrent sessions. The beauty of desktop applications is the decentralized nature, using resources close to the user (as opposed to further away on a server). This means scaling per user is built in as the user brings their own resources. OAuth's implicit requirement of funneling everything through a server in order to protect a secret is a defect in the design of OAuth, one that I've raised on the OAuth mailing lists to which I received the response of well, that's not a problem OAuth is trying to solve. In other words: EPIC FAIL. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: from API
This isn't a loophole. It's a documented function of posting the tweet source. It just so happens that 'web' is a valid source parameter. On Jul 4, 4:42 am, Chad Etzel jazzyc...@gmail.com wrote: Some clients don't even show the source... Tweetie for example.. There are a billion 3rd party applications out there, so I think if it says from API it won't betray their use of TweetLater. It just means that they're using not web ...so who cares? On a related note, I doubt if Twitter will close the from web source key loophole because it would be an expensive operation to check and filter that for every tweet coming from the API. You could even spoof another application if you know their source key. In any event, I like this change b/c I like tracking source stats, and this has given some interesting insight into non-sourced twitter client usage... which according to my cursory overview is a lot less than I was expecting. Carry on, -Chad On Fri, Jul 3, 2009 at 12:17 PM, Dewald Pretoriusdpr...@gmail.com wrote: For me it is more a matter of user education. When you read the user comments on my blog, you will see there are a few who said they will stop using TweetLater if the tweets are labeled with from TweetLater. There are one of two reasons for that: a) they are concerned about what their followers will think if they knew that not all tweets were sent live, or b) they are publishing pretty useless and perhaps spammy tweets. To be honest, I wouldn't mind if the people in the b) category stopped using TweetLater. One of the comments pretty much summed it up for me: If you are providing your followers with something valuable they won’t care where the tweets are coming from. On Jul 3, 12:44 pm, João Pereira joaomiguel.pere...@gmail.com wrote: I think that who don't want to identify theirs apps are building twitter spam apps :) On Fri, Jul 3, 2009 at 4:40 PM, Dewald Pretorius dpr...@gmail.com wrote: That's probably true, but I don't believe in trying to game Twitter. It's a very stupid strategy in the long run. If you want a Twitter application that fits into the Twitter ecosystem and will be around for a long time, the best strategy is to be a good and upstanding neighbor of Twitter. On Jul 3, 12:29 pm, Chad Etzel jazzyc...@gmail.com wrote: You could call your application web /snark -chad On Fri, Jul 3, 2009 at 11:08 AM, Abraham Williams4bra...@gmail.com wrote: I don't think so. Abraham On Fri, Jul 3, 2009 at 09:57, Dewald Pretorius dpr...@gmail.com wrote: Abraham, Is this optional? Meaning, can one register an OAuth application and still not have a custom from on the tweets originating from that application? On Jul 3, 11:44 am, Abraham Williams 4bra...@gmail.com wrote: There is no approval process anymore. To have a custom from all you have to do is create an OAuth application. Abraham On Fri, Jul 3, 2009 at 09:40, shiplu shiplu@gmail.com wrote: No doubt it will be closed. But from now on twitter should approve more applications. Cause many applications are using this from web and converted to from API. Soon they will apply for approval. -- A K M Mokaddim http://talk.cmyweb.net http://twitter.com/shiplu Stop Top Posting !! বাংলিশ লেখার চাইতে বাংলা লেখা অনেক ভাল -- Abraham Williams | Community Evangelist |http://web608.org Hacker |http://abrah.am|http://twitter.com/abraham Project |http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. -- Abraham Williams | Community Evangelist |http://web608.org Hacker |http://abrah.am|http://twitter.com/abraham Project |http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. -- João Miguel Pereirahttp://jpereira.eu LinkedIn:http://www.linkedin.com/in/joaomiguelpereira joaomiguel.pere...@gmail.com (351) 96 275 68 58