Hi Simon,
You've figured out all the right answers! Glad to hear. SignPost should work
fine for you with Twitter, but I'll just mention that it has some issues
with other services with stricter OAuth implementations.
Wish you luck in finding your way to OAuth, and we're here to help if you
get stuck along the way.
Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod
On Wed, Apr 28, 2010 at 4:32 PM, Simon simon.kitch...@airnz.co.nz wrote:
To reply to myself: I've figured most of this out now.
(1)
Yes, the app should be registered.
Log on to the twitter account that messages will be published to, then
go to dev.twitter.com/apps and add a new app.
(2)
When an app is defined by an account, the app is automatically added
to that account's connections.
(3)
No, xauth is not the right tool. On the app page (either just after
defining the app, or later by account settings | connections), the my
access token button will create an authentication (token, secret)
pair that can be used to authenticate the server app against the
account. The web-based authentication step is then unnecessary.
These auth tokes do not expire (unless you explicitly log onto the
account and revoke the token).
(4)
It looks like the signing is not too complicated, but also non-
trivial; oauth is simply more complex than basic auth. So using a lib
is probably the best solution. The Signpost project (google) appears
to have a nice small implementation.