It seems as though revealing the Consumer Key and Consumer Key Secret
of my application would be a pretty serious security risk. Anyone
could write an application that impersonates mine, but they still
would need an authorized user's Token and Token Secret in order to
commit mischief.
What sort
So is this wrong if I save the image and user details locally (on our
server) ?
Also, how would it be possible to get the users profile pic at
http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show
using profile_image_url ?
At current it only returns _normal.jpg, which is set at
hmmm
On Jun 30, 10:45 pm, Abraham Williams 4bra...@gmail.com wrote:
Twitter has said in the past they are more then willing to take care
of the bandwidth for smaller applications but if you go huge they ask
you to look at local caching.
On Tue, Jun 30, 2009 at 08:12, Philip
Hello,
I’m using the oauth/authenticate method (one click login) and I was
wondering if I had to check the Use Twitter for login option in my
application options. The application is Browser based (using a
callback URL) .
I’m quite confused with this option as I don’t really understand what
it
Right - I am not scraping the PIN? I am using the web browser in .NET
(which is similar to Internet Explorer)
to authenticate via a pin and username / password credentials.
The only part of the workflow I do not follow is opening the URL in IE
- I open in it VB.NET Web Browser.
But - my user
You should use an unsigned 64 bit int for status and user ids to be
safe. IDs will never be negative, so a signed value is wasted space.
On Jul 1, 6:28 am, DWRoelands duane.roela...@gmail.com wrote:
If you're asking what data type should you use to store these value,
I'm using the .NET Int64
Did I state otherwise?
You are not reading my words - you are being blinded by the noise from
your own head.
What I stated is this;
I authenticate my VB.NET web browser via PIN etc
THIS means my browser is authenticated.
If I try to access a page via the program with a TCP Client - I have
to
On Wed, Jul 1, 2009 at 07:00, Obrzutsa...@peyoteuk.com wrote:
The library is faulty. It does not process leading zero pins.
The OAuth implementation is stupid - because it does not authenticate
an program but a TCP method.
Hence, you guys are s off the mark here it hurts me to talk to
I do not feel you've made a mountain out of a mole hill here. This
topic has been on my mind since I first encountered oAuth. I haven't
seen any open source apps use oAuth yet.
We have an open source application called Application X. The
potential risk is that Application X becomes widely
2009/7/1 Obrzut sa...@peyoteuk.com:
Did I state otherwise?
You are not reading my words - you are being blinded by the noise from
your own head.
What I stated is this;
I authenticate my VB.NET web browser via PIN etc
THIS means my browser is authenticated.
If I try to access a page
If you check out the OAuth Core Abstract, Section 4 (http://oauth.net/
core/1.0#anchor4) states it pretty plainly:
Service Providers SHOULD NOT rely on the Consumer Secret as a method
to verify the Consumer identity, unless the Consumer Secret is known
to be inaccessible to anyone other than the
The secret should not reside in code. The secret should reside in a
config file, or maybe even a machine datastore. Abstract it out, no
one ever needs to see anything secret in your code.
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This
Obrzut:
My application does exactly what you say is impossible. The user
authenticates via the web browser, then my desktop application
completes the process using the six-digit PIN.
There's no need to fix any XML that comes from Twitter, and there's
no need to process any HTML from a web page.
That's not correct. Updates posted to Twitter via Basic Auth always
appear with a source of From Web (unless the application in question
was grandfathered in). Otherwise, it's not possible to impersonate
another application via Basic Auth.
On Jul 1, 9:34 am, Abraham Williams 4bra...@gmail.com
True, but none of that addresses the central points that I'm trying to
make:
1. The OAuth Core documentation says that providers should not rely on
the Consumer Secret to identify consumers.
2. Twitter's implementation of OAuth appears to do exactly what the
OAuth Core documentation says not to
Might sorta work on webapps, or maybe desktop compiled code (assuming
the config is compiled in at build time), but that doesn't help for
desktop apps written in interpreted langs, where all source code and
configs would be easily viewable (although I could imagine some
initial setup stuff where
Andrew,
The Consumer Secret is the key that has to be associated with my
application so that it can authenticate to Twitter. Regardless of how
I distribute it, I still have to distribute it with the source code in
order for the source code to work.
No amount of abstraction will prevent someone
Hi Arnaud,
That option during application creation is really more trouble
that it is worth. Right now applications that have that option checked
include an extra sentence to tell users the application will be using
twitter for login, that's all. In the future we may restrict the /
Yes, but don't distribute it. Obviously config files are human
readable, but you blank out secrets before publishing them.
People using open source libraries will have to get their own keys.
So, either you really are contributing in the spirit of open source,
and you don't care about
Andrew,
I'm not talking about a -library-. I'm talking about a -client-. If
I want to produce a Twitter client, it needs its own Consumer Key and
Consumer Key Secret. If want to share the source code for that
client, I will also have to share it's Consumer Key and Consumer Key
Secret.
You
The worst that happens if you publish the consumer tokens in an
opensouce app is someone malicious uses it to abuse Twitter and the
consumer token gets banned. At which point you regenerate a new one
and push a new version of the app. The cycle may or may not start
again depending on the
Not what I said in the least, but it's interesting that you should
interpret it that way.
Re-read what I said.
If someone is open sourcing something, in the true spirit of open
source, they shouldn't care about getting credit in the source
parameter.
Thanks you and good night, I'm here all
Not what I said in the least, but it's interesting that you should
interpret it that way.
Re-read what I said.
If someone is open sourcing something, in the true spirit of open
source, they shouldn't care about getting credit in the source
parameter.
Tell that to Richard Stallman.
--
Andrew,
This isn't about credit in the source parameter. It's about
application security.
Twitter has stated that Basic Auth will eventually be deprecated.
OAuth will eventually be the only method of authentication available.
When that happens, developers of open source clients will be forced
Amen and thank you Matt.
On Wed, Jul 1, 2009 at 11:09 AM, Matt Sanfordm...@twitter.com wrote:
On Jul 1, 2009, at 5:10 AM, Philip Plante wrote:
I do not feel you've made a mountain out of a mole hill here. This
topic has been on my mind since I first encountered oAuth. I haven't
seen
If you force datatyping to alpha, six chars, this will be a nonproblem
Sent from my iPhone
On Jul 1, 2009, at 8:00 AM, Obrzut sa...@peyoteuk.com wrote:
Did I state otherwise?
You are not reading my words - you are being blinded by the noise from
your own head.
What I stated is this;
I
A technical solution I see working is a modified PIN flow where
instead of a 6 digit PIN the user gets a 20 character token that acts
as consumer token. No harder then using PIN flow but each desktop
install would have a unique consumer sub token that could still be
tied into the global consumer
Sounds like the assumption is that part of the keypair is in the
source. That is clearly a bad idea ... The software should obly
provide for processes and not ever content
Sent from my iPhone
On Jul 1, 2009, at 11:10 AM, Andrew Badera and...@badera.us wrote:
No one's snarking, but
Nancy,
You're right - it is a bad idea. However, it appears to be the only
option that Twitter has left to open-source developers who wish to
implement OAuth. There doesn't seem to be any way around distributing
my application's Consumer Key Secret.
Regards,
Duane
On Jul 1, 11:17 am, Nancy
The problem is that by everyone getting their own consumer keys, the source
parameter will be different for every person. Now, I'm not interested in
getting my name in lights in the Twitter world -- I could honestly care
less. That said, if I'm going to spend a significant portion of my time
Actually, since Twitter has said that Basic Auth will eventually go
away, OAuth is going to be the only choice for authentication.
Twitter has forced the choice by implementing OAuth in the way that
they did.
Why should a user who chooses to support open source by using an open-
source Twitter
How difficult is it to, as part of the build, check for a key file, if
it doesn't exist, go to Twitter and do the stuff to get the tokens,
parse the tokens and save in the key file, and then continue on with
the build. Seems easy enuff.
-- Bruce
Sent from my iPhone
On Jul 1, 2009, at 8:23
Hello again,
I do not recommend having individual end users register for
consumer keys/secrets [1] under any circumstances. So, with that out
of the way, let us focus the discussion a bit more. What can we change
about OAuth that would make this better? A complete technical [2][3]
I'm not sure that Twitter exposes any API or web service that allows
you to programatically register a new application (which you need to
do to receive the Consumer Key and Consumer Key Secret).
Even if you could, that still requires the end user to compile the
source with a modified build
I think this got lost under all the mess:
On Wed, Jul 1, 2009 at 10:15, Abraham Williams4bra...@gmail.com wrote:
A technical solution I see working is a modified PIN flow where
instead of a 6 digit PIN the user gets a 20 character token that acts
as consumer token. No harder then using PIN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
DWRoelands wrote:
Obrzut:
My application does exactly what you say is impossible. The user
authenticates via the web browser, then my desktop application
completes the process using the six-digit PIN.
There's no need to fix any XML that comes
Mark,
Thanks for weighing in. Much appreciated. Here are my thoughts.
I see two separate issues here: User Authentication vs. Application
Authentication.
User Authentication: Ensuring that the Twitter user is who they say
they are.
Application Authentication: Ensuring that the Application is
I'm still not sure I understand the option. Is there any reason why
someone would choose NOT to check this box currently?
Also, if you are in the process of redesigning the auth page, could I
make a request:
Could there be a super-lightweight version for mobile? No images, no
scripts,
Hi there,
A mobile version does not exist but it's on the roadmap.
— Matt
On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote:
I'm still not sure I understand the option. Is there any reason why
someone would choose NOT to check this box currently?
Also, if you are in the process of
Matt,
Thanks for weighing in and hopefully taming this snarl. As the person
who might have posed the question originally, I figured I at least
owed a bit of constructive critique.
What can we change about OAuth that would make this better?
1) User experience - it's been echoed a
Super!
Thanks,
Isaiah
YourHead Software
supp...@yourhead.com
http://www.yourhead.com
On Jul 1, 2009, at 10:23 AM, Matt Sanford wrote:
Hi there,
A mobile version does not exist but it's on the roadmap.
— Matt
On Jul 1, 2009, at 10:21 AM, Isaiah Carew wrote:
I'm still not sure I
On a completely separate note, your website is stunning, did you
design it yourself? If not may I ask who were your designers.
All the best
Neil
http://www.peepwl.com
On 1 Jul 2009, at 20:22, Support wrote:
Matt,
Thanks for weighing in and hopefully taming this snarl. As the
person
On Jul 1, 2009, at 10:17 AM, DWRoelands wrote:
Mark,
Thanks for weighing in. Much appreciated. Here are my thoughts.
I see two separate issues here: User Authentication vs. Application
Authentication.
User Authentication: Ensuring that the Twitter user is who they say
they are.
yep, just me,
thanks,
isaiah
p.s. subject changed to protect the on-topic folks. @isaiah for
more. ;-)
On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote:
On a completely separate note, your website is stunning, did you
design it yourself? If not may I ask who were your designers.
All
I'm using the API and am trying to search for stocktwits (those tweets
which contain the string $$ or $ followed by a ticker symbol). I
can easily search for $aapl for example, and it works fine. But if I
search for $$ the API never returns any results, so I must be
searching for it incorrectly.
Hi Ryan,
The search.twitter.com system does not support $$ or a wild-card
for all stock symbols.
Thanks;
– Matt Sanford / @mzsanford
Twitter Dev
On Jul 1, 2009, at 1:49 PM, Ryan wrote:
I'm using the API and am trying to search for stocktwits (those tweets
which contain the
Yep my mistake, will contact you off line.
On 1 Jul 2009, at 20:38, Isaiah Carew wrote:
yep, just me,
thanks,
isaiah
p.s. subject changed to protect the on-topic folks. @isaiah for
more. ;-)
On Jul 1, 2009, at 12:27 PM, Neil Ellis wrote:
On a completely separate note, your website is
Hope this is not out of line, but this list has been pretty busy
lately in traffic, and I am looking for a little hand holding on tweet
threading... so bump :)
On Jun 30, 2009, at 3:53 PM, Scott Haneda wrote:
I am finding near all apps I use with twitter in some way or another
fail at
Thanks
On Jun 29, 3:10 am, Abraham Williams 4bra...@gmail.com wrote:
Pretty much.
Usehttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users%C2%A0show
to get all their profile info.
On Sat, Jun 27, 2009 at 09:11, Sliceysli...@live.co.uk wrote:
I'm building a site which allows a
Has there been any update or advance on how to keep Profile Images up
to date? They're driving my nuts, especially with the Iran green-
overlay nonsense.
-fs
On May 22, 12:36 pm, Ollie Parsley olliedud...@googlemail.com wrote:
Haven't figured out caching yet. Thats on the agenda after a
Hello everyone
in my application i am trying to pull xml dataset using following link
http://search.twitter.com/search.atom?lang=enrpp=150q=+google
Problem is i cant get more than 100 results in the tables even though
i have given 150 rpp. can someone please explain why is that?
thanks
--
Thanks for your replay guys i menage to it using Published feild in XML
results.
i have another problem if you guys can help me there.
in my application i am trying to pull xml dataset using following link
http://search.twitter.com/search.atom?lang=enrpp=150q=+google
Problem is i cant get
If you look at: http://apiwiki.twitter.com/Twitter-Search-API-Method%3A-search
You will find that rpp only supports up to 100.
Abraham
On Wed, Jul 1, 2009 at 20:17, Razamahrozer...@gmail.com wrote:
Hello everyone
in my application i am trying to pull xml dataset using following link
I saw on the API documentation the daily limit is 1000 per day. But it seems
its lower then that. Is it a %age based limit?
Thanks
Nayeem
Ok, great. I'll let it check, so.
By the way, OAuth is working like a charm here. Great job you did
there! I'm happy to have finally switched to it.
All the best,
Arnaud.
On Jul 1, 4:50 pm, Matt Sanford m...@twitter.com wrote:
Hi Arnaud,
That option during application creation is
Take a look on the app I'm workig on, Twitoaster: http://twitoaster.com
The threading part is not that hard. Recursive function jumping from
parents to parents.
You should use the getMentions method, instead of hiting the search
API. You'll get the full object that way, so you won't have to use
56 matches
Mail list logo