Last week I finished converting my homebrew Twitter apps to OAuth. There were four parts to this effort, one of which includes a significant new piece of OAuth software. I'll talk about each part in turn.
Part 0: Deciding to do it. My apps are command-line based and call Twitter using my equivalents of curl, called http_get and http_post. These are simple command-line programs that make an HTTP call. What I needed was a simple command-line program to make an OAuth-signed HTTP call. Did that already exist? Sort of - there was Marcel Molina's twurl: http://github.com/marcel/twurl Only problem is that it's written in Ruby, which I do not have installed and am not really intrerested in installing. For those of us who want to stick with plain old C or possibly C++, the only available OAuth code is liboauth: http://liboauth.sourceforge.net/ This includes code to link with libcurl and make signed HTTP calls. It's pretty huge - 1.6 megabytes of source. I tried it anyway. Unfortunately I couldn't get to work on my system. So I was kind of stuck, and decided to roll my own. Part 1: Generating OAuth signatures. I figured that instead of writing a program to make signed HTTP calls directly, I would write something that generates the signature header, and then use that with my existing HTTP callers. I worked my way through RFC5849 for a few weeks and came up with this, which is the main reason for this message: http://acme.com/software/oauth_sign/ There's both a library call and a command-line program. Written in C, 20 KB of source, Berkeley-style license. It interoperates with Twitter, and I checked it for memory leaks - clean. The only library it depends on is OpenSSL's libcrypto, which should be present on any modern system. If you try it, please let me know about any portability issues, for example srandomdev() probably doesn't exist on non-FreeBSD systems. Part 2: Getting OAuth tokens. Once I had the signature generator working, this part took about a day to set up. You can see it here: http://acme.com/twitter/ - one HTML/JavaScript page that calls a few CGIs. Feel free to run through the authorization process if you like, and/or read the .js file. Even though this was relatively easy, I feel I should not have needed to do it. Rather than making every app developer write pretty much the same thing, Twitter should provide, as an option, a generic authorization page that works for any app. Given that, writing simple command-line Twitter apps would once again be nice and easy. Part 3: Adapting my apps to use the new code. This part was trivial. Where they used to call http_get/http_post, now they first call oauth_sign and then pass the signature header to http_get/http_post. It's literally just a couple extra lines of code. However, my app's consumer token & secret have to be built into the code, therefore I can no longer distribute these apps for others to use. Supposedly Twitter has a solution in the works for open-source apps like this. When that becomes available I'll check it out and see if it solves this. --- Jef Jef Poskanzer j...@mail.acme.com http://acme.com/jef/
