For writing desktop twitter apps, one is required to create an app at apps.twitter.com and use consumer "secret" to retrieve the user's authorization via some sort of PIN.
The apps page on twitter says:
Keep the "Consumer Secret" a secret. This key should never be human-readable in your application.
Is this a joke? The client app needs to have it in plaintext at some point. Is this Twitter's sense of security? And does it really matter to keep this "secret" a secret? (which is obviously impossible)
Related
I am working on a Twitter project where I want to use OAuth but I don't know where to get the consumer and secret keys.
How can I get these?
To get Consumer Key & Consumer Secret, you have to create an app in Twitter via
https://developer.twitter.com/en/apps
Then you'll be taken to a page containing Consumer Key & Consumer Secret.
Hopefully this information will clarify OAuth essentials for Twitter:
Create a Twitter account if you don't already have one
Visit 'https://apps.twitter.com' and follow the required prompts to create a developer project (Twitter requires you to answer some questions before they will approve your account. Approval was nearly instant in my case.)
Requesting the API key and secret via the Developer Portal causes Twitter to produce the following three things:
API key (this is your 'consumer key')
API secret key (this is your 'consumer secret')
Bearer token
Next, visit the 'Authentication Tokens' area of the Developer Portal and generate an 'Access token & secret'. This will provide you with the following two items:
Access token (this is your 'token key')
Access token secret (this is your 'token secret')
The consumer key, consumer secret, token key, and token secret should be sufficient to do Twitter API calls (they were for me).
Log into the Twitter Developers section.
If you don't already have an account, you can login with your normal Twitter credentials
Go to "Create an app"
Fill in the details of the application you'll be using to connect with the API
Your application name must be unique. If someone else is already using it, you won't be able to register your application until you can think of something that isn't being used.
Click on Create your Twitter application
Details of your new app will be shown along with your consumer key and consumer secret.
If you need access tokens, scroll down and click Create my access token
The page will then refresh on the "Details" tab with your new access tokens. You can recreate these at any time if you need to.
By default your apps will be granted for read-only access. To change this, go to the Settings tab and change the access level required in the "Application Type" section.
Existing apps
To get the consumer and access tokens for an existing application, go to My applications (which is available from the menu in the upper-right).
step 1.Go to https://dev.twitter.com/apps
step 2.Create app(fill up the form)
step 3.Change permissions if necessary(depending if you want to just read,write or execute)
step 4.Go To API keys section and click generate ACCESS TOKEN.
5 years late to answer :)
Now you have these tokens which is all you need.
'oauth_access_token' => Access token
'oauth_access_token_secret' => Access token secret
'consumer_key' => API key
'consumer_secret' => API secret
Simply go here: https://dev.twitter.com/apps/new Make sure you have logged in with your Twitter account - then create - even if your just entering random (Test) Content - create your app - afterwards you will receive all the data you require :)
Go to https://dev.twitter.com/apps to list all your apps. Click on the desired app to get its consumer and secret key. If you didnt yet created any app then follow https://dev.twitter.com/apps/new to create new one.
This slide show shows how to get both keys updated June 2013.
http://www.slideshare.net/Tweetganic/generate-twitter-applications
From the Twitter FAQ:
Most integrations with the API will require you to identify your application to Twitter by way of an API key. On the Twitter platform, the term "API key" usually refers to what's called an OAuth consumer key. This string identifies your application when making requests to the API. In OAuth 1.0a, your "API keys" probably refer to the combination of this consumer key and the "consumer secret," a string that is used to securely "sign" your requests to Twitter.
consumer_key = API key
consumer_secret = API key secret
Found it hidden in Twitter API Docs
Twitter's naming is just too confusing.
FYI, from November 2018 anyone who wants access Twitter’s APIs must apply for a Twitter Development Account by visiting https://developer.twitter.com/. Once your application has been approved then only you'll be able to create Twitter apps.
Once the Twitter Developer Account is ready:
1) Go to https://developer.twitter.com/.
2) Click on Apps and then click on Create an app.
3) Provide an App Name & Description.
4) Enter a website name in the Website URL field.
5) Click on Create.
6) Navigate to your app, then click on Details and then go to Keys and Tokens.
Reference: http://www.technocratsid.com/getting-twitter-consumer-api-access-token-keys/
So I've been reading some documentation on Oauth, and I understand the concept and the way Oauth works, but I am having trouble understanding something...
On the following website, I took this excerpt (see emphasis):
In everyday web transactions, the most common credential used is the username-password combination. OAuth’s primary goal is to allow delegated access to private resources. This is done using two sets of credentials: the client identifies itself using its client identifier and client secret, while the resource owner is identified by an access token and token secret. Each set can be thought of as a username-password pair (one for the application and one for the end-user).
So lets use Instagram as an example,
Client = Instagram iPhone App
Server = Instagram Server
Resource Owner = Instagram User
My question is, how does the client store the client identifier and client secret inside the iPhone app when Storing passwords in iPhone applications is known to be completely insecure... Where does one store the client identifiers and client secret securely for oauth access?
I'm using Omniauth to link API with users. Currently I have my site's token and secret in the omniauth.rb file. How can I grab that data for API GET requests? If I can't, where should I store it and how should I retrieve it?
Thanks
I presume you're not familiar with OAuth itself. In order to implement your API interactions effectively, I advise you to read Beginner's Guide to OAuth.
Basically, you're going to register your consumer application in provider application. During that process, you will obtain a secret token, associated with your consumer app. Using that token to identify your consumer application, provider will generate access token for each subsequent request. These tokens are short-lived and basically allow only one requrest to API.
I'm trying to use two legged oauth to allow a mobile client to log into an api I've created, however I can't quite grok the proper workflow for this and all the tutorials seem to say something different.
From what I've read in the two legged version the oauth consumer key and consumer secret are specifically assigned to a user, and the tokens aren't used. So when a user logs in they (or their device) would have to present their consumer key and secret and we can use that to verify their identity. But then what? Does the client device receive some token that they use to access the API, or do they send the consumer information with every request?
And the user can only be expected to remember a username and password, how do we get from username and password on the client device to a consumer key and secret to send to the server?
You shouldn't have a consumer key/secret pair for each client device. The OAuth notion of "consumer" is a particular site or developer using the API to authenticate to you. Who is creating the username/password pairs? Are these specifically your user accounts, or are you looking for users to be able to log into you with Yahoo, Google, etc. accounts?
At any rate, I would expect the users to have a username and password, not a consumer key and consumer secret.
2-legged OAuth removes a separate authN/authZ server that talks directly to the client that is otherwise present in 3-legged OAuth. It certainly does involve (access) tokens. The client device would receive a token and could use that until it expires.
The advantage of this setup is that you do not need to worry about the security of the client_id/secret on every API call. Sending client_id/secret on every call is basic authentication, and it is not recommended. Instead, by using OAuth, you only need to worry about the security of client_id/secret on the API call used to get the token (e.g., once for the life of each token). And if a token is compromised, it has a TTL, whereas client_id/secret do not.
The client_id/secret are not known to the end-user who provides their own user credentials. The client app is expected to handle the negotiation of client_id/secret for token.
I am working on a Twitter project where I want to use OAuth but I don't know where to get the consumer and secret keys.
How can I get these?
To get Consumer Key & Consumer Secret, you have to create an app in Twitter via
https://developer.twitter.com/en/apps
Then you'll be taken to a page containing Consumer Key & Consumer Secret.
Hopefully this information will clarify OAuth essentials for Twitter:
Create a Twitter account if you don't already have one
Visit 'https://apps.twitter.com' and follow the required prompts to create a developer project (Twitter requires you to answer some questions before they will approve your account. Approval was nearly instant in my case.)
Requesting the API key and secret via the Developer Portal causes Twitter to produce the following three things:
API key (this is your 'consumer key')
API secret key (this is your 'consumer secret')
Bearer token
Next, visit the 'Authentication Tokens' area of the Developer Portal and generate an 'Access token & secret'. This will provide you with the following two items:
Access token (this is your 'token key')
Access token secret (this is your 'token secret')
The consumer key, consumer secret, token key, and token secret should be sufficient to do Twitter API calls (they were for me).
Log into the Twitter Developers section.
If you don't already have an account, you can login with your normal Twitter credentials
Go to "Create an app"
Fill in the details of the application you'll be using to connect with the API
Your application name must be unique. If someone else is already using it, you won't be able to register your application until you can think of something that isn't being used.
Click on Create your Twitter application
Details of your new app will be shown along with your consumer key and consumer secret.
If you need access tokens, scroll down and click Create my access token
The page will then refresh on the "Details" tab with your new access tokens. You can recreate these at any time if you need to.
By default your apps will be granted for read-only access. To change this, go to the Settings tab and change the access level required in the "Application Type" section.
Existing apps
To get the consumer and access tokens for an existing application, go to My applications (which is available from the menu in the upper-right).
step 1.Go to https://dev.twitter.com/apps
step 2.Create app(fill up the form)
step 3.Change permissions if necessary(depending if you want to just read,write or execute)
step 4.Go To API keys section and click generate ACCESS TOKEN.
5 years late to answer :)
Now you have these tokens which is all you need.
'oauth_access_token' => Access token
'oauth_access_token_secret' => Access token secret
'consumer_key' => API key
'consumer_secret' => API secret
Simply go here: https://dev.twitter.com/apps/new Make sure you have logged in with your Twitter account - then create - even if your just entering random (Test) Content - create your app - afterwards you will receive all the data you require :)
Go to https://dev.twitter.com/apps to list all your apps. Click on the desired app to get its consumer and secret key. If you didnt yet created any app then follow https://dev.twitter.com/apps/new to create new one.
This slide show shows how to get both keys updated June 2013.
http://www.slideshare.net/Tweetganic/generate-twitter-applications
From the Twitter FAQ:
Most integrations with the API will require you to identify your application to Twitter by way of an API key. On the Twitter platform, the term "API key" usually refers to what's called an OAuth consumer key. This string identifies your application when making requests to the API. In OAuth 1.0a, your "API keys" probably refer to the combination of this consumer key and the "consumer secret," a string that is used to securely "sign" your requests to Twitter.
consumer_key = API key
consumer_secret = API key secret
Found it hidden in Twitter API Docs
Twitter's naming is just too confusing.
FYI, from November 2018 anyone who wants access Twitter’s APIs must apply for a Twitter Development Account by visiting https://developer.twitter.com/. Once your application has been approved then only you'll be able to create Twitter apps.
Once the Twitter Developer Account is ready:
1) Go to https://developer.twitter.com/.
2) Click on Apps and then click on Create an app.
3) Provide an App Name & Description.
4) Enter a website name in the Website URL field.
5) Click on Create.
6) Navigate to your app, then click on Details and then go to Keys and Tokens.
Reference: http://www.technocratsid.com/getting-twitter-consumer-api-access-token-keys/