[wp-hackers] Twitter API and Authentication
    Marko Heijnen 
    mailing at markoheijnen.nl
       
    Tue May 11 14:19:54 UTC 2010
    
    
  
John,  for xAuth you still need API keys and Wordpress plugin isn't an  
desktop or mobile application.
xAuth is for desktop or mobile application where you don't want to  
visit the browser where the user approve the use of the application.
Lew, requesting API Keys for twitter is almost that simple as for  
Akismet. Only twitter want to know some information what the  
intentions are for that request.
The last solution indeed will pass the whole oAuth purpose. But it is  
an solution.
But users don't need to build the portal. You build that portal as an  
service to your plugin users. I do know for most plugins this isn't  
doable.
Marko
Op 11 mei 2010, om 16:07 heeft John Bloch het volgende geschreven:
> From http://dev.twitter.com/pages/xauth
>
> xAuth provides a way for desktop and mobile applications to exchange  
> a username and password for an OAuth access token. Once the access  
> token is retrieved, xAuth-enabled developers should dispose of the  
> login and password corresponding to the user.
> xAuth access is restricted to approved applications. If your  
> application is a desktop or mobile application and the standard web  
> OAuth flow or PIN-code out-of-band flow is not right for you, send a  
> detailed message to api at twitter.com to request xAuth privileges.  
> Include the name of your application, the consumer key, the  
> application ID (if available), and a summary of how xAuth is best- 
> suited for your application.
> It looks like WP plugins like Twitter Tools, etc. would best be  
> served by xAuth, since it's still authenticated by username and  
> password, but is also still oAuth compatible. It's a bit more of a  
> hassle for the developer, but it sounds like it would be much more  
> user friendly for the actual users of the application.
>
> -John P. Bloch
>
> On May 11, 2010, at 9:43 AM, Marko Heijnen wrote:
>
>> That is true. For oAuth you need the API keys. It is less user- 
>> friendly but the effort for users is bigger.
>> As user I always hated the Basic Authentication because of entering  
>> an password to an site.
>> Requesting the API Keys is 5 minutes work and with some  
>> instructions every user can do it.
>>
>> What some plugins do is creating an shell (service) what connects  
>> to for example twitter.
>> In the plugin you will put the username and password for connection  
>> to that service.
>> The service will push your message to twitter.
>>
>>
>> Op 11 mei 2010, om 15:32 heeft Lew Ayotte - Full Throttle  
>> Development het volgende geschreven:
>>
>>> Is this still true?
>>>
>>> If you're distributing your plugin for WordPress, you would want  
>>> to ensure
>>>> that it doesn't contain any OAuth consumer keys (API keys) or  
>>>> secrets
>>>> within
>>>> the source code. You'd instruct implementors to come to
>>>> http://dev.twitter.com/apps<http://www.google.com/url?sa=D&q=http://dev.twitter.com/apps&usg=AFQjCNFzM1pM66_-v39mdHLco9PcbeOW8w 
>>>> >to create an application and give them a UI or
>>>> configuration file to enter their consumer key and consumer  
>>>> secret in a
>>>> safe
>>>> place resistant to tampering.
>>>>
>>>
>>> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/21bc0536e9bf0eab/20600060538f7075?lnk=gst&q=plugin#20600060538f7075
>>>
>>> It seems like that is the antithesis of user-friendly and would  
>>> seem like
>>> the opposite of what Twitter would want. I currently have over  
>>> 13,000
>>> downloads for my Twitter Post plugin. Many of those are updates,  
>>> so let's
>>> assume that 1/16 of those are legit users. Twitter really wants  
>>> over 800 app
>>> requests for the same app? And I'm not the only one with a Twitter  
>>> Plugin
>>> that allows you to post to twitter -- Twitter Tools has over 500,000
>>> downloads.
>>>
>>> Lew
>>>
>>> Lew Ayotte
>>> Full Throttle Development, LLC
>>> 706.363.0688
>>> 478.246.4627
>>> lew at fullthrottledevelopment.com
>>> http://fullthrottledevelopment.com
>>> http://twitter.com/full_throttle
>>> http://twitter.com/lewayotte
>>>
>>>
>>> On Tue, May 11, 2010 at 8:53 AM, Lew Ayotte - Full Throttle  
>>> Development <
>>> lew at fullthrottledevelopment.com> wrote:
>>>
>>>> Well, thanks for the heads up... but this is going to be a pain  
>>>> the rear.
>>>>
>>>> Now I guess I'll start incorporating oAuth into my plugin.
>>>>
>>>> Lew Ayotte
>>>> Full Throttle Development, LLC
>>>> 706.363.0688
>>>> 478.246.4627
>>>> lew at fullthrottledevelopment.com
>>>> http://fullthrottledevelopment.com
>>>> http://twitter.com/full_throttle
>>>> http://twitter.com/lewayotte
>>>>
>>>>
>>>>
>>>> On Mon, May 10, 2010 at 7:20 PM, Matt Harris <themattharris at twitter.com 
>>>> >wrote:
>>>>
>>>>> Hey Hackers,
>>>>>
>>>>> Some of you may already know me through WordCamps, Barcamps and  
>>>>> various
>>>>> conferences but for those of you who don't, my name is Matt  
>>>>> Harris and
>>>>> I've
>>>>> just joined Twitter as a Developer Advocate.
>>>>>
>>>>> I'm emailing this list to reach those of you who either write  
>>>>> plugins that
>>>>> use Twitter, or develop websites for which a Twitter widget is  
>>>>> used.
>>>>>
>>>>> On the 30th June the Twitter REST API will stop supporting Basic
>>>>> Authentication and instead switch to OAuth. This means
>>>>> * all user authenticated requests to the API must be OAuth signed,
>>>>> preferably using OAuth headers.
>>>>> * calls not requiring authentication should ensure they do not  
>>>>> send auth
>>>>> headers of any kind as doing so will return an error
>>>>> * basic auth will cease to function on the REST API
>>>>> * the streaming API will still support basic auth but this is  
>>>>> likely to
>>>>> change later in the year
>>>>> * the search API does not require auth so is not part of this  
>>>>> project
>>>>> * the public RSS/ATOM feeds do not require auth so are not part  
>>>>> of this
>>>>> project
>>>>>
>>>>> So, if you have WordPress sites that publish to Twitter please  
>>>>> check they
>>>>> are using OAuth and not Basic Authentication.
>>>>> If you are a plugin developer, please update your plugin to use  
>>>>> OAuth and
>>>>> remove and Basic Authentication code.
>>>>> If you're plugin just consumes RSS/Atom feeds from Twitter you  
>>>>> will be
>>>>> unaffected by this change.
>>>>>
>>>>> Information about OAuth and community code libraries can be  
>>>>> found on
>>>>> http://dev.twitter.com or, if you have any questions please ask  
>>>>> in the
>>>>> Twitter
>>>>> development talk Google group:
>>>>> http://groups.google.<
>>>>> http://groups.google.com/group/twitter-development-talk>
>>>>> com/group/twitter-development-<
>>>>> http://groups.google.com/group/twitter-development-talk>
>>>>> talk <http://groups.google.com/group/twitter-development-talk>.  
>>>>> You can
>>>>> also
>>>>> find me on Twitter as @themattharris or at various events  
>>>>> including Google
>>>>> IO later this month.
>>>>>
>>>>> Best,
>>>>> Matt Harris
>>>>> Developer Advocate, Twitter
>>>>> http://twitter.com/themattharris
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
    
    
More information about the wp-hackers
mailing list