Every week we are hearing about more GIS developers integrating data and capabilities from social media API’s such as Twitter. Most of the apps integrate basic web requests for things such as using the Twitter Search API to retrieve tweets or retrieving trending topics, and use a straightforward RESTful request/response development pattern that’s common across many web applications.
However, if you want your users to be able to do things such as post a Twitter status update, or retrieve recent mentions, to complete these types of requests you have to use OAuth authentication. If you don’t have to authenticate any of your requests then there’s no need for you to read any further. If you aren’t sure, in the Twitter API docs check the “Requires Authentication” field for a “True” value, for example: http://dev.twitter.com/doc/get/statuses/mentions.
No More Basic Authentication. I’m writing this blog post because up until August 2010 we could get away with using basic authentication, which required just a few lines of code. Twitter put an end to this easy but highly insecure practice. Now we all have to abide by the new rules which means authenticating with OAuth.
The OAuth 1.0 Protocol abstract explains it best by stating that “OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections”;
The Challenge of OAuth. OAuth entails potentially hundreds of lines of code and understanding a multi-step process between a client, Twitter and your server. The good news is there are open-source libraries out there that can significantly reduce your coding time and provide insight into how to sign OAuth requests. It’s well worth checking them out rather than rushing off and building something from scratch. Twitter has even conveniently provided a list of some of these libraries on their developer site: http://dev.twitter.com/pages/oauth_libraries. My only caveat is it’s still up to you, the developer, to examine the library and determine how updated, or secure each library is.
Twitter also now has some very helpful documentation on their OAuth process: http://dev.twitter.com/pages/auth. The insights they provide are extremely useful to read when troubleshooting OAuth implementations.
Sample App. To top things off I’ve created a sample that demonstrates the basic OAuth concepts: http://edn1.esri.com/demos/oauth2/TwitterOauth2.html (updated 11/24/10). And, you can download the source code (Flex/PHP) here.