Friday, April 3, 2009

OAuth and Twitter

 Earlier last month, Twitter released OAuth access to their site and to the API.  Excited about the possibility of integrating some DigitalChalk functions with Twitter, I decided to take a couple of hours to play around with it and see what it offered.  There are lots of examples on the Twitter API site, but none of them are in Java.  What?  Really?  Maybe because it is so easy to do, but I do think that it is worth posting about.  First, a little about the flow of getting your access credentials from Twitter.  The diagram below shows the order of events and some pieces of the data that you need to get started.


For my implementation example I am using a Java OAuth library written by John Kristian, Praveen Alavilli and Dirk Balfanz.
  1. You must get your Consumer Key and Consumer Secret by registering your application on Twitter.com
  2. The goal is to get an Access Token and Secret that you can use to read and/or write to a Twitter users information without having to ask for their username and password everytime.  We also don't want to have to store that information because they may change it on Twitter.com and we don't want to have to synchronize the information. (The user doesn't really want to give that information to us anyway)
  3. The first step is get request a Request Token from Twitter.  You do this by using a timestamp, nonce, oauth version, and your consumer key and signing it with your consumer secret.  Then a request can be made to http://twitter.com/oauth/request_token including the signature.
  4. public TwitterTokenPair getRequestToken(TwitterConsumerCredentials credentials) throws TwitterOAuthException {
       TwitterTokenPair result = null;
       OAuthAccessor accessor = newAccessor(credentials);
       OAuthClient client = new OAuthClient(new HttpClient3());
       try {
          client.getRequestToken(accessor);
          // Build the token pair to return
          result = new TwitterTokenPair();
          result.setToken(accessor.requestToken);
          result.setTokenSecret(accessor.tokenSecret);
       } catch (Throwable t) {
          throw new TwitterOAuthException(t);
       }   return result;}
    
  5. Twitter will generate a Request Token and Token Secret and send them back
  6. Save the Request Token and Token Secret off for later use.  We will use them again after the user has granted us access.
  7. Build up a the URL for a user to access, sending them to Twitter, to grant us access.  This will be done by sending them to http://twitter.com/oauth/authorize?oauth_token=.  You can optionally add a callback URL on the parameters or just rely on the one that you entered on the Twitter site when registering your application.
  8. public String getAuthorizeUrl(String token, String callbackUrl, Map callbackParameters) {
       Map parameters = new HashMap();
       parameters.put("oauth_token", token);
       if (null != callbackUrl) {
          parameters.put("oauth_callback", callbackUrl + "?" + asQueryString(callbackParameters));
       }
       return authorizeUrl + "?" + asQueryString(parameters);
    }
    
  9. If you user grants you access, then your callback URL will be called.
  10. Upon recieving the callback, you now need to request and Access Token from Twitter.  This is very similar to step 3 except you will be using a different URL and the Request Token and Secret that you saved off in step 4.  You will sign your request with your consumer secret and the token secret and send the request for the Access Token to http://twitter.com/oauth/access_token.
  11. public TwitterTokenPair getAccessToken(TwitterConsumerCredentials credentials, TwitterTokenPair requestTokenPair) throws TwitterOAuthException {
       TwitterTokenPair result = null;
       OAuthAccessor accessor = newAccessor(credentials);
       accessor.requestToken = requestTokenPair.getToken();
       accessor.tokenSecret = requestTokenPair.getTokenSecret();
       OAuthClient client = new OAuthClient(new HttpClient3());
       try {
          client.getAccessToken(accessor, HttpClient.GET, null);
          // Build the token pair to return
          result = new TwitterTokenPair();
          result.setToken(accessor.accessToken);
          result.setTokenSecret(accessor.tokenSecret);
       } catch (Throwable t) {
          throw new TwitterOAuthException(t);
       }
       result;
    }
    
  12. Twitter will generate an Access Token and Token Secret and send them back.  At this point, the Application is added to the users Connections tab.
  13. Once you parse the Access Token and Token Secret out of the response, you can use them from that point forward to make Twitter API calls on behalf of the user that granted access.
That is it!  Now you have successfully acquired the Access tokens and can perform the Twitter REST API services for that user.  Because I have granted DigitalChalk the to update my status, the application can do so at its hearts content.


TwitterHttpCommand twitterCommand = new TwitterHttpCommand(credentials);
try {
   Map parameters = new HashMap();
   parameters.put("status", "Just finished OAuth integration implementation of Twitter and DigitalChalk in Java!  Woohoo!");
   response = service.execute(twitterCommand, HttpMethod.POST, accessTokens, "http://twitter.com/statuses/update.xml", parameters);
   printInputStream(response.getResponse());
} catch (TwitterOAuthException ex) {
   System.out.println(ex);
} catch (IOException ioex) {
   System.out.println(ioex);
}



UPDATE: I have been asked to include the code for this experiment.  You will need to download the Java OAuth Library and include it in the classpath as well as enter your Consumer Key and Secret into the twitter.properties file.  The Test.java class should walk you through how I used it to test access to Twitter.  Let me know what you think and if you would like to see anything else added.  You can download the code here: http://bit.ly/Pz55C

15 comments:

James said...

using the twitter basic auth api, it is possible for the twitter account to be shared by one-or-more twitter client sites.

i'm curious, i wonder if this is possible w/ the twitter oauth api as well. i wonder if the second user's authentication of the shared twitter account will invalidate the previously authenticated by a twitter oauth consumer.

Troy Tolle said...

James, I think that I am following what you are asking.
If you ask a person to authenticate again using OAuth and you complete the cycle by doing the request for the Access Token, then it will invalidate the previous Access Token and Token Secret. You will have to use the newly generated tokens to access the user's account.

James said...

yeah ... it was rather clumsily asked. wasn't exactly sure of the "correct" words, but we're on the same page.

using basic auth, it is pretty easy for a service to allow it's members to share a single twitter account for event/message syndication. in looking at oauth (which i *really* like for obvious reasons), it looks as if this "feature" of allowing for shared account access is no longer available. i really want to be proven wrong on this one :)

Troy Tolle said...

James, I think that it sounds like a good idea for a 3rd party application. You could maintain a group that would have access to write to an account that you approve authentication to and then if you need to remove someone, you simply remove them from your app instead of having to change the password on the Twitter account. Go for it. I think it would be very useful.

James said...

hey troy -

i was just made aware that this is a known issue, one that looks to be under investigation:

http://code.google.com/p/twitter-api/issues/detail?id=372

thx for the chat :)

Anonymous said...

Thanks for this great post + the code :) Both are very helpful...

Anthony said...

Hey Toy, If I have a web app that is already handling all the oAuth stuff, can I just store the access tokens in a DB, and then use those access tokens in my java app to make calls?

If I do this do I need to include any of the oauth stuff at all? Trying to break out in your test what is needed the first time just to get the tokens, and then what you need to do the first time around, and what needs to be dont after you've already had your app approved with the user?

arjun said...

I am getting 401 Unauthorized in step 8. In getAccessToken() function

client.getAccessToken(accessor, HttpClient.GET, null);

result = new TwitterTokenPair();
result.setToken(accessor.accessToken);
result.setTokenSecret(accessor.tokenSecret);

accesstoken and tokensecret are both null.

what could be wrong ?

Please help.

Troy Tolle said...

Anthony, after your user has completed the "Allow" on Twitter, you will be able to get the Access token using the request token and store them. You will then be able to use these tokens on behalf of the user.

Troy Tolle said...

arjun,
You will need to pass in your request token to get the access token after the user has allowed access through the request. It appears you are passing in null right now.

saabir said...

Hi
Fantastic job done :-) Is there a way to download the lib jar files?Or do you have a svn url?
Cheers

Troy Tolle said...

saabir, thanks for the comment. You can download the source at: http://bit.ly/Pz55C

Nautilus said...

Thanks! Step8 saved my night! :)
Bye,
Alex Nautilus
http://twitter.com/alexnautilus

Troy Tolle said...

Nautilus, that is great. I am glad it was useful to you.

Mohammad Swaleh said...

Hi Troy,
excellent post. as a beginner, I could understand where to start. great work. keep it up. and many thanks.

Swaleh