[twitter-dev] Re: Where Is the oauth_verifier ?
Me too. On 9月5日, 上午6时34分, vanleurth vanleu...@gmail.com wrote: Hey all, I'm new to twitter development and am trying to get started. I'm using php My basic problem is when the user gets redirected back to my app after authorizing my app on twitter, I don't get back the oauth_verifier. I do see the oauth_token in my GET parameter, but nothing else. Am I missing something? If there was an error, where can I see that? thanks, Please help, V. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Where Is the oauth_verifier ?
Some old consumer key/secret can return oauth_token and oauth_verifier but new registered ones can only get oauth_token. On 9月5日, 下午9时39分, @yegle cnye...@gmail.com wrote: Me too. On 9月5日, 上午6时34分, vanleurth vanleu...@gmail.com wrote: Hey all, I'm new to twitter development and am trying to get started. I'm using php My basic problem is when the user gets redirected back to my app after authorizing my app on twitter, I don't get back the oauth_verifier. I do see the oauth_token in my GET parameter, but nothing else. Am I missing something? If there was an error, where can I see that? thanks, Please help, V. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Where Is the oauth_verifier ?
Maybe I've found the solution http://code.google.com/p/twip/source/diff?spec=svn129r=129format=sidepath=/branches/yegle/include/OAuth.phpold_path=/branches/yegle/include/OAuth.phpold=110 Let me know if it helps :-) On 9月5日, 下午10时12分, @yegle cnye...@gmail.com wrote: Some old consumer key/secret can return oauth_token and oauth_verifier but new registered ones can only get oauth_token. On 9月5日, 下午9时39分, @yegle cnye...@gmail.com wrote: Me too. On 9月5日, 上午6时34分, vanleurth vanleu...@gmail.com wrote: Hey all, I'm new to twitter development and am trying to get started. I'm using php My basic problem is when the user gets redirected back to my app after authorizing my app on twitter, I don't get back the oauth_verifier. I do see the oauth_token in my GET parameter, but nothing else. Am I missing something? If there was an error, where can I see that? thanks, Please help, V. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] What's the normal response of oauth/access_token?
Hi everyone, I'm writing an API proxy to work with twitter for iphone. When adding acount, twitter for iphone will send an request to oauth/ access_token. I tried to fake the response by returning a fake access token, but failed. Twitter for iphone always tell me that Could not authenticate you. (XAuth migration failed - no token/secret handed back). Can anyone give me a hint? P.S. API proxy works between client and twitter.com, and redirect requests from client to twitter.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
There is no detailed information about xauth right now, but the WRAP specification did allow to fetch access token using username/password, that makes a proxy script possible.I think this is xauth about: get access token using username/password and then do the rest things using oauth. I'm still waiting for the approval of my request to try xauth, maybe I can figure out how to do this when I can try xauth myself :-) On Feb 12, 5:40 pm, Jesse Stay jesses...@gmail.com wrote: On Fri, Feb 12, 2010 at 2:40 AM, Brian Smith br...@briansmith.org wrote: yegle wrote: Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. Read Raffi's post from a few hours ago entitled What's up with OAuth? where he describes xAuth. Also, look at the OAuth WRAP draft specification, which defines something very similar to xAuth. In the (near) future, Twitter-approved applications will be able to get OAuth authorized with just the user's username and password, without forcing the user to visit the Twitter website. After they are authorized, they can proxy their requests like before. The proxies will undoubtedly need to be modified, but the modifications will not be too bad. Brian, I thought that was the case originally, but after reading his latest draft, I'm thinking the opposite may be the case. I think xAuth requires all users to go through the Twitter website, but applications wanting to transfer authority to another application or website (via an API) will be able to make calls on behalf of those applications. In order for application-to-application transfer to occur though, I think users still have to go through the Twitter website to log in. Then an application can take that user's token, pass it onto the other application, and the other application can get permission from Twitter to make calls on behalf of that user. No usernames or passwords are passed in this method, if I understand it correctly. Raffi, please correct me if I'm wrong. If that's not the case, there is still a major concern for phishing. I'm not sure what the answer is here - it's China or phishing, tough decision. Jesse
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
I read the WRAP draft. I have to say that it's much simpler than OAuth 1.0a. It doesn't need too much modification to twitter client to support API proxy, if xauth is widely available. Thank you all for your replies and concerns :-) On Feb 12, 7:04 pm, yegle cnye...@gmail.com wrote: Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com
[twitter-dev] Re: What's up with OAuth?
Hi Raffi, Is xauth the same as the 5.3 Username and Password Profile in WRAP's specification? On Feb 12, 11:18 am, Raffi Krikorian ra...@twitter.com wrote: hi all. this is a long overdue e-mail, but i wanted to tease out some of the directions that Twitter is going with OAuth. i want to touch upon four topics: delegation, OAuth WRAP/2.0, username/password OAuth token exchange, and basic authentication deprecation. *DELEGATION - OAuth Echo* twitter users love posting media on third-party sites, and delegation in identity verification is one of the major hurdles for an OAuth-enabled twitter client to succeed. i started a series of blog posts around the following problem: You're an OAuth enabled Twitter client, and you've already authorized your user. Your user wants to use a media providing service like TwitPic. TwitPic, currently, asks for the username and password of your user so it can store the photo on behalf of the Twitter user. You don't have that username and password, so how do you give the ability to TwitPic to verify the identity of your user? check out the proposal for what we're calling OAuth Echo athttp://mehack.com/OAuth-echo-delegation-in-identity-verificatio. please feel free to comment there, or on the twitter development talk mailing listhttp://groups.google.com/group/twitter-development-talk(or, even just reach out to me directly). i think this experiment in engaging the community around designing this security/identity workflow has been definitely a success, and i feel we're rapidly converging on a solution for identity verification delegation. in parallel, we're going to start the process to engage our media providers in the conversation as well, and we're hopeful we can move this forward quickly. *OAUTH WRAP/2.0* OAuth is evolving, and we at Twitter are keeping up with it. that being said, we're keeping our eyes on OAuth WRAP and OAuth 2.0http://wiki.oauth.net/OAuth-WRAP. we like a lot about it: - it requires the use of SSL; - there is no custom signing mechanism -- you simply pass us a token, and that token is secured by SSL; and - it formalizes a bunch of profiles that we've been actively thinking about (e.g. a username/password exchange) in general, we really like WRAP/2.0 because it's just *so* easy to implement from the client side. there are no longer questions around creating the proper signature base string, etc. we're sure that developers will like it as well. we've started work on an internal implementation of OAuth WRAP and we envision that we'll simultaneously support both OAuth 1.0a and WRAP/2.0 for a while. our hope is to get WRAP out the door soon (and before we finally deprecate basic authentication). *USERNAME/PASSWORD TO OAUTH TOKEN EXCHANGE - xAuth* @rsarver and @noradio announced that we are going to support a mechanism where a username and a password can be directly exchanged for an OAuth token and secret -- we're calling this xAuth. if you've been watching the mailing list, Seesmic Look http://seesmic.com/look has been a beta partner in testing xAuth exchange (and @abraham has already detailed how it workshttp://the.hackerconundrum.com/2010/02/sneak-peek-at-twitters-browser...). because we're moving everybody off basic authentication, we originally envisioned this as a mechanism for developers to exchange all the username and passwords they have in their databases for OAuth tokens en masse. that's still one of our use cases. another use case is around environments where software can't bring up a web browser (e.g. set top boxes, game consoles, embedded devices). we want to support those as well. you're going to have to apply to get access to this exchange mechanism (by sending e-mail to a...@twitter.com), but, in general, all applications except web applications will get access. we feel that the xAuth exchange allows for the best mix of security and user experience for desktop and possibly mobile applications. web applications will simply have to use OAuth as it was designed, and send their users through the web flow. *BASIC AUTHENTICATION DEPRECATION* yup - it's still happening. we're targeting June 2010. everybody, including legacy applications, will have to move over. for those who are building new applications, use OAuth. save yourself the transition time later, and start thinking about it now. for those who have applications already out there, it would be really beneficial to start thinking about a migration path right now and we're here to help. if you need it, please feel free to reach out to us and we'll help you figure out what you need to do. to help entice you over, as you know: - we have increased rate limits on api.twitter.com to those who are using OAuth (350 calls to the REST API per hour -- and increasing towards 1500/hour); and - (as some of you are painfully aware) you can only set a source
[twitter-dev] OAuth:a disaster for Chinese twitter users
Hi all, This could be a long email. I read Raffi's post today,the original post is here: https://groups.google.com/group/twitter-development-talk/browse_thread/thread/c2c4963061422f28 I think the abandon of HTTP basic auth would be a disaster for all Chinese twitter users. The gov of China runs a big censorship system called GFW. Wikipedia gives more information about GFW here: http://en.wikipedia.org/wiki/Golden_Shield_Project GFW blocked many websites like facebook, twitter, youtube, plurk and so on. So how does Chinese users post tweets from twitter client? We uses Twitter API proxy. A twitter API proxy is a simple script which redirect all POST and GET request it received to twitter.com. These scripts are written in PHP or Python, so it can be set up on virtual host outside China or on GAE. Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users.
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Yes, but not all clients support HTTPS proxy, especially mobile clients. On Feb 12, 1:39 pm, Harshad RJ harshad...@gmail.com wrote: Wouldn't a regular HTTPS proxy be sufficient? On Fri, Feb 12, 2010 at 11:00 AM, yegle cnye...@gmail.com wrote: Hi all, This could be a long email. I read Raffi's post today,the original post is here: https://groups.google.com/group/twitter-development-talk/browse_threa... I think the abandon of HTTP basic auth would be a disaster for all Chinese twitter users. The gov of China runs a big censorship system called GFW. Wikipedia gives more information about GFW here: http://en.wikipedia.org/wiki/Golden_Shield_Project GFW blocked many websites like facebook, twitter, youtube, plurk and so on. So how does Chinese users post tweets from twitter client? We uses Twitter API proxy. A twitter API proxy is a simple script which redirect all POST and GET request it received to twitter.com. These scripts are written in PHP or Python, so it can be set up on virtual host outside China or on GAE. Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. -- Harshad RJhttp://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Anyway, HTTPS should be enabled or at least provide an option :-) On Feb 12, 2:38 pm, Harshad RJ harshad...@gmail.com wrote: Made me realise that my app (tDash) should be using HTTPS for all API calls. Just made a new release now. Hoping that helps users behind a firewall. On Fri, Feb 12, 2010 at 11:12 AM, yegle cnye...@gmail.com wrote: Yes, but not all clients support HTTPS proxy, especially mobile clients. On Feb 12, 1:39 pm, Harshad RJ harshad...@gmail.com wrote: Wouldn't a regular HTTPS proxy be sufficient? -- Harshad RJhttp://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Hi Brian, Thank you, I just noticed the new OAuth specification. I'll read the specification first and see if there is any workaround available :-) On Feb 12, 5:40 pm, Brian Smith br...@briansmith.org wrote: yegle wrote: Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. Read Raffi's post from a few hours ago entitled What's up with OAuth? where he describes xAuth. Also, look at the OAuth WRAP draft specification, which defines something very similar to xAuth. In the (near) future, Twitter-approved applications will be able to get OAuth authorized with just the user's username and password, without forcing the user to visit the Twitter website. After they are authorized, they can proxy their requests like before. The proxies will undoubtedly need to be modified, but the modifications will not be too bad. - Brian
[twitter-dev] Re: How does twitter recognize @username in tweets?
Hi Dave, Thank you for your explanation :-) But I still want to know what regex twitter is used to recognize @username , because the regex used to recognize @username in dabr doesn't work exactly same as twitter.com. On Dec 2, 6:24 pm, Dave Sherohman d...@fishtwits.com wrote: On Tue, Dec 01, 2009 at 07:14:25PM -0800, yegle wrote: I have a saved search which is yegle -...@yegle to track tweets which intends to mention me, I found some tweets with format described below can be found using yegle -...@yegle but also appear in my reply_timeline: Here is sometext and then w...@yegle (no space before the @ ) So my question is, what regex does twitter use to recognize @username in tweets? You're imagining that this is being handled in a more complex (more intelligent?) way than it actually is. The search function operates on complete words only, with no special-case handling for @usernames. w...@yegle doesn't match @yegle for the same reason it doesn't match it: they're substrings embedded within the word, not the complete word. -- Dave Sherohman
[twitter-dev] Re: How does twitter recognize @username in tweets?
But I still want to know what regex is used to determine whether a tweet mentioned someone, the regex used in dabr doesn't work exactly the same as twitter.com. On Dec 2, 6:24 pm, Dave Sherohman d...@fishtwits.com wrote: On Tue, Dec 01, 2009 at 07:14:25PM -0800, yegle wrote: I have a saved search which is yegle -...@yegle to track tweets which intends to mention me, I found some tweets with format described below can be found using yegle -...@yegle but also appear in my reply_timeline: Here is sometext and then w...@yegle (no space before the @ ) So my question is, what regex does twitter use torecogn...@username in tweets? You're imagining that this is being handled in a more complex (more intelligent?) way than it actually is. The search function operates on complete words only, with no special-case handling for @usernames. w...@yegle doesn't match @yegle for the same reason it doesn't match it: they're substrings embedded within the word, not the complete word. -- Dave Sherohman
[twitter-dev] Re: How does twitter recognize @username in tweets?
Thank you Dave, my mistake :-) On Dec 2, 6:24 pm, Dave Sherohman d...@fishtwits.com wrote: On Tue, Dec 01, 2009 at 07:14:25PM -0800, yegle wrote: I have a saved search which is yegle -...@yegle to track tweets which intends to mention me, I found some tweets with format described below can be found using yegle -...@yegle but also appear in my reply_timeline: Here is sometext and then w...@yegle (no space before the @ ) So my question is, what regex does twitter use torecogn...@username in tweets? You're imagining that this is being handled in a more complex (more intelligent?) way than it actually is. The search function operates on complete words only, with no special-case handling for @usernames. w...@yegle doesn't match @yegle for the same reason it doesn't match it: they're substrings embedded within the word, not the complete word. -- Dave Sherohman
[twitter-dev] Re: How does twitter recognize @username in tweets?
Hi Dave, Thank you for your explanation :-) But I still want to know what regex twitter is used to recognize @username , because the regex used to recognize @username in dabr doesn't work exactly same as twitter.com. On Dec 2, 6:24 pm, Dave Sherohman d...@fishtwits.com wrote: On Tue, Dec 01, 2009 at 07:14:25PM -0800, yegle wrote: I have a saved search which is yegle -...@yegle to track tweets which intends to mention me, I found some tweets with format described below can be found using yegle -...@yegle but also appear in my reply_timeline: Here is sometext and then w...@yegle (no space before the @ ) So my question is, what regex does twitter use to recognize @username in tweets? You're imagining that this is being handled in a more complex (more intelligent?) way than it actually is. The search function operates on complete words only, with no special-case handling for @usernames. w...@yegle doesn't match @yegle for the same reason it doesn't match it: they're substrings embedded within the word, not the complete word. -- Dave Sherohman
[twitter-dev] How does twitter recognize @username in tweets?
Hi I'm new here, and forgive me if someone have asked this question. I have a saved search which is yegle -...@yegle to track tweets which intends to mention me, I found some tweets with format described below can be found using yegle -...@yegle but also appear in my reply_timeline: Here is sometext and then w...@yegle (no space before the @ ) So my question is, what regex does twitter use to recognize @username in tweets? If I search with -...@yegle, that means the search results won't have any tweets which doesn't mention me right? And I think twitter should announce the regex so client developers can recognize @username just the same as twitter.com.