Twitterizer
OAuth is a protocol designed to allow applications access to sensitive information while retaining control and security for the user.
When using OAuth, you will not ask your users for their username or password. Instead, you will deal with a series of tokens. You can think of these tokens as a kind of username (aka token) and password (aka secret), except the user won’t know or see them. There are three sets of these tokens: request, access, and consumer. The consumer tokens (usually referred to as consumer keys, but I like to be different) are assigned to you on a per-application basis. They will act as the username/password your application will use to identify itself. The request token (there is no password disposable and are valid only long enough to complete the authentication process (hopefully this will be clear by the end). The access tokens are the values you will need to keep. These are your keys to the user’s information. Treat these as the user’s credentials.
Before you begin working here, you must have your application registered with Twitter. You can go here to register a new application and obtain your consumer key and secret.
If the process were a children’s story, it would go like this:
“Hey Twitter, I’ve got a user I’d like to access. You know me, you gave me this consumer key and secret? Remember?” queries myApplication.
“Sweet! Send them to me with this super secret code, so I’ll know they came from you,” replies Twitter.
“Hey User, go to Twitter (with this code), login, and tell them that you’d like to give me access,” myApplication demands.
A few moments later.
“myApplication, I did what you told me to do. I told them this super secret code,” exclaims the User.
Excitedly, myApplication shouts, “HURRAY!”“Twitter, that user came back and said they gave me access. Remember? The one with this super secret code?”
“Oh yeah, I remember that guy and/or girl. From now on, let’s call him this access code. You’ll also need this access secret.”
“Cool, I’ll remember that for next time.”
The first step in authenticating a new user is to get a new request code. To do this with Twitterizer2, use the GetRequestToken method in the OauthUtility class, like so:
OAuthUtility.GetRequestToken("consumer key", "consumer secret");
This returns an OAuthTokenResponse object that contains four properties: Token, TokenSecret, UserId, and ScreenName. At this point, only Token will have a value. This is your request token.
Now, you will need to direct the user directly to Twitter, using this address: http://twitter.com/oauth/authorize?oauth_token=[request token]
While there, the user will be asked to login, if they aren’t already, and given the choice to allow or deny access to your application.
From here, we will need split the tutorial into two parts based on the environment of your application because the process will differ slightly. Websites are more streamlined and the user will simply be redirected back to your site. Desktop and mobile applications will require the user to manually return to your application and enter a PIN that Twitter gives them.
Choose your poison: Web Site or Desktop Application
After the user grants you access, Twitter will redirect them to the callback location they have on file for the application, along with an oauth_token querystring parameter appended to it. For example, if I entered “http://example.com/callback.aspx” when I registered my application with Twitter, the user will be sent to “http://example.com/callback.aspx?oauth_token=[request token]“. The request token value is the same value as before, so you don’t need to store it during the first step.
At this point, you need to exchange the request token for a set of access tokens, like this:
OAuthUtility.GetAccessToken("consumer key", "consumer secret", "request token");
This will also return an OAuthTokenResponse, but this time, all of the properties will be filled. You now have all of the information you need to communicate with Twitter on behalf of the user.
Code Sample
In this sample, we assume you have an application registered with Twitter, and that the callback url is set to “www.example.com/callback.aspx.” It’s suggested that the user is given a link to click that will send them to Twitter, but for simplicity, we’ll just use Response.Redirect to get them there.
new-user.aspx.cs
When the user hits this page, your application will obtain a request token from Twitter and send the user to authenticate themselves.
OAuthTokenResponse authorizationTokens = OAuthUtility.GetRequestToken("ConsumerKey", "ConsumerKeySecret");
Response.Redirect(string.Format("http://twitter.com/oauth/authorize?oauth_token={0}", authorizationTokens.Token), true);
callback.aspx
When the user is done logging in with Twitter, they will be sent to this page.
OAuthTokenResponse tokens = OAuthUtility.GetAccessToken(
"ConsumerKey",
"ConsumerKeySecret",
Request.QueryString["oauth_token"]);
string userAccessToken = tokens.Token;
string userAccessSecret = tokens.TokenSecret;
string userName = tokens.ScreenName;
long userId = tokens.UserId;
After the user grants you access, Twitter will give the user a six digit pin number. The user will be instructed to return to your application and supply the pin to you.
At this point, you need to exchange the original request token, and the PIN number, for a set of access tokens, like this:
OAuthUtility.GetAccessToken("consumer key", "consumer secret", "request token", "pin number");
This will also return an OAuthTokenResponse, but this time, all of the properties will be filled. You now have all of the information you need to communicate with Twitter on behalf of the user.
Code Sample
For a code example, you should go get the latest source code package from our downloads section. It will contain example desktop and web applications that will demonstrate our OAuth implementation.
[...] [...]
I’m trying to get this working, but the current version requires 4 arguments now (key, secret, token, verifier) I can’t find any explanation for these other two. Am I doing something wrong?
The only change since this article was written is that the verifier is no longer optional. For the verifier you should supply the PIN, if you’re using PIN-based authentication, or the oauth_verifier value supplied on the querystring when the user returns to your site via the callback url.
I am getting a 401 Unauthorized when using the code that implementes OAuth.
Interestingly during debugging I randomly get the 401 and a success request. When deployed I only get 401 Unauthorized.
Any idea why this is failing?
I’m getting the same error on production. But in debug mode is intermittent. Did you find the solution for this?
Hello, I’m having the same problem you could solve?
Thanks
Hello, thanks for your answer…
Sucessful!
I have a question: is possible to know how many people (and who) is using my app?
You can use the search API and use the source keyword, like this: “source:MetroTwit”
Im tryinbg to use and I have a question:
The user need allow or deny all requests of my application?
The user needs to grant your application access one time. Once access has been granted the user can revoke access, but it will not expire otherwise.
GetRequestToken appears to take 3 params, not 2, is this example out of date? All I’m trying to do is display the account’s friends timeline on my site, seems like this should be so simple but I can’t find any examples for doing this. Any thoughts would be appreciated.
Yes, this example is out of date, although all versions of Twitterizer 2 had the 3-argument overload available. GetRequestToken now requires (per Twitter’s best practices) that the developer supplies a callback. For desktop applications, “oob” should be supplied (as is stated in the docs).
Does the pin-code stay valid -ever after ?
Excellent question. No, the PIN is single-use. Your application only needs the access token values. Those values are good forever, or until the user revokes your access.
[...] on the first and second line I do a basic OAuth request (see the getting started guide), after that I realized I missed the PIN to do a GetAccessToken. So in my FraudePin method I mimic [...]
I do not fully understand how to use it
please a small sample to get started
I think 5 lines of codes should be inought
Ok, added a code sample for each scenario.
what is it “request token”, “pin number” ?
The request token is given to your application with the OAuthUtility.GetRequestToken(“consumer key”, “consumer secret”); method.
The pin number is given to the user.