OAuth: Totally!

skelkeyWhat is OAuth, and why should you care? Here’s the deal: Just like Skynet of Terminator fame, web apps have lately been doing a lot more talking to each other on the “back-end” instead of all web communication being between a human and a web app. This is a GOOD thing as long as the humans control what talks to what and what data is shared. Instead of copying and pasting a whole bunch of data from Web App A into Web App B, you can now just give Web App B permission to go get it. And if you ever change anything on Web App A, you only need to change it there: Web App B will pick it up. This makes things convenient, but in the past it required giving Web App B your password to Web App A! As a developer, I understand why they really do need this info, but you don’t need to be a paranoid security analyst like me to imagine how easily an evil person could promise an app that does something cool, suck up your credentials, and use them for nefarious purposes. And nowhere is this more true than on Twitter.

I learned at Portland Barcamp 2009 that 90% of the traffic on Twitter’s servers comes from 3rd party apps and only 10% comes directly from humans. With all those apps out there, (most of which require your twitter password) it’s amazing to me that Twitter has been hacked as little as it has. I guess the only reason for that is there isn’t a lot of money in hacking Twitter. All you could could gain would be the ability to mess with people; most serious hackers nowadays are after stealing serious money. But still… it gives me heebie jeebies to give my credentials for any site to a third party on general principle. Up till recently, you had no other choice if you wanted to use Twitter apps.

Recently Twitter has taken first steps toward adopting OAuth, a new protocol that lets a third party act as an authenticated user after getting permission to do so from the user, OAuth does not supply credentials to the third party and supposedly protects the user against a third party sucking down the password. OAuth is not perfect: there is a potential breach when the bad guy interrupts the normal handshake, sucks down an intermediate URL and then convinces a victim to click it. But it still beats giving your password out to any lame-o application that asks for it. Before Twitter will be safe, of course, they will have to drop their support for basic authentication altogether and use exclusively OAuth. Because of the huge number of “legacy” Twitter Apps out there, it will take some time for all of them to update.

I like to be on the bleeding edge, so I thought I’d retrofit my crunchy getfollowavatars hack to use Oauth. If you recall, the getfollowavatars hack would download an archive of the avatars of at least some of your Twitter followers for whatever you wanted to do with them. I used them to create a mosaic, but there are other things you could do as well. I had to have your Twitter password in order to access that information from Twitter. I am a good guy; that’s absolutely all I did with the passwords. But of course I could have snatched them. Let’s see what it takes to do this with OAuth.

Well, I wouldn’t want to reinvent the wheel, and thanks to Jaisen Mathai I don’t have to. Jaisen has kindly provided a suite of PHP classes that take care of all the twiddly details and let you get right to the meat of it. His OAuth class is not coupled to his Twitter class, in case you might wish to use OAuth for something else. The Twitter class very cleverly uses the _call feature of PHP5 so that you don’t have to write a separate method for every Twitter thingie that you want to do. However it took some figuring out to make it do what I want.

Jaisen’s code contains the following, edited for brevity:

//instantiate the authenticated twitter object using the oauth tokens if available
$twitterObj = new EpiTwitter($consumer_key, $consumer_secret,$_COOKIE['oauth_token'], $_COOKIE['oauth_token_secret']);
$twitterInfo= $twitterObj->get_accountVerify_credentials();

After that, we can refer to properties of the $twitterInfo object, such as $twitterInfo->profile_image_url.

I wanted to use the statuses/followers.json URL and pick off the profile_image_url of each follower. To do that, you make up a method name for your Twitter object as follows:

  • Find the Twitter URL in the Twitter API of whatever you want to do.
  • Prefix it with either get or post, as the Twitter API specifies and append an underscore.
  • After the underscore, append the “subdirectory” name as per the Twitter API. In my case, it’s “statuses”.
  • Finally, append the name of your method beginning with an uppercase letter. The uppercase letter is critical!

Luckily, Jaisen’s code appends the json format by default, which is also my preferred format. So my code started like this:

$twitterInfo= $twitterObj->get_statusesFollowers();
foreach ($twitterInfo->response as $follower ) {
   echo $follower['profile_image_url'] . "<br/>";

In the call method, it converts the method name to the appropriate twitter URL. If there are any parameters, it also converts them and feeds them in. In this case there aren’t. Obviously I am going to do more than just echo the URL’s of the avatars. My old code downloaded the avatars to a local directory, then packed them all up and sent the compressed file to the user. The difference was in how I accessed the information. With OAuth, I no longer need the password to get it. Now that I have them, my old code can take it from here.

6 comments to OAuth: Totally!

  • Hackers are my worst nightmares. I couldn’t believe that hacking is so easy. Thank goodness I don’t have anything that hackers would be interested to get. I appreciate the way you make complicated things seem simple.

  • That is an interesting fact about Twitter. I remember reading about a few sploits, but you are right, it is amazing that Twitter hasn’t been hacked more.

    I think in regards to security, the biggest danger has been posed by all of the sites that use the Twitter API and ask for your password. I remember reading about one service that was actually sending advertising tweets out to their users followers, of course without the consent of the user.

  • If you give your password to a site (or OAuth it for that matter,) it can do anything it wants as you. But with OAuth, if a site starts doing something you don’t like, you can de OAuth it. Without OAuth, your only option was to change your password and then all the “good” sites that knew your old password will break. With OAuth you don’t have to change your password and remember all the “good” sites you gave your password to and tell them the new password so that they will still work. But the good sites one by one should start adding OAuth and pulling the password requirement.

  • http://webdesign-boston.com/

    “Affordable Webdesign Doesn’t Mean Compromise”…


  • You need to identify the idea did the trick proper? I do not wish to sumit the idea once more merely need not! Often your blog glitced available or perhaps i am an idiot, the 2nd choice does not astonish me hahah. appreciate it in your wonderful weblog!

  • Get yourself some Twitter Followers and Facebook fans. Visit Here

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.