OAuth 1.0a was made for server to server authentication. It uses secrets for the client, which would make your application vulnerable. So, no, you should not use JavaScript for OAuth. Not before Twitter starts using OAuth 2.0.
About the document you are referring to: there are three types of streams: normal streams, user streams and site streams. In most cases when the documentation refers to Streaming, it refers to the Normal Streams (= filter, sample, firehose, etc). There would be one more issue which requires mentioning: JavaScript's "Same-origin policy". You can't make a request directly to the Twitter API via JavaScript: you *will* need a proxy on your own server. Tom On 10/6/10 10:54 PM, Tim Bull wrote: > Hi, > > We are building an application client that is browser based. We're > very comfortable with using OAuth from our server side code and are > using it fine with the REST API (users sign in, authenticate with > Twitter, we store their access tokens and reuse as requested - at the > moment we mimic the required Twitter API on our server and when a user > does something like a POST, we call our stub, use their token to then > make the call via OAuth to Twitter). > > So far so good, but we'd like to implement User Streaming directly > into the client side application. > > I've been browsing the Twitter Development documentation and there's a > couple of points I'd like clarification on: > > * http://dev.twitter.com/pages/auth_overview says Streaming supports > Basic and OAuth. > > * http://dev.twitter.com/pages/user_streams says that the user streams > supports OAuth only "HTTPS, OAuth and JSON only". No problems here, I > just raise it to point out the auth_overview doco is slightly out of > date. > > * http://dev.twitter.com/pages/oauth_libraries talks about a JS > library but says "Javascript really shouldn't be used for OAuth 1.0A > with respect to websites in web browsers. Ideally, you'll only use > Javascript to perform OAuth operations when using server-side." > > The points I'd like some clarification on: > > 1. Given user_streams API is the intended way for clients to access > Twitter going forwards, I presume it's intended not just for desktop, > but also web clients too? > 2. If 1 is correct, then is it OK to use JavaScript for the OAuth? If > it's not, what is the recommended approach for a client side web > application to connect and authenticate to the user_stream? > > Thanks, > > Tim > -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
