Is there a method on the Twitter api for validating a user ?
So I can send a username/password and I will receive a JSON response detailing wether the username/password is valid or not.
Thanks
Twitter supports xAuth which takes a username and password and returns an access token for the user.
However xAuth requires approval from Twitter before your application can use it and they generally only allow it for mobile and desktop accounts. Twitter will also enable it temporarily if you have a legacy BasicAuth app you need to convert to OAuth.
If you decide to go with xAuth keep in mind that you should never store users passwords. Once the authorization is complete immediately discard them.
You can validate using oAuth. you can find various opensource codes for the same.
Twitter removed Basic authentication in since Aug 2010
You can take a look here http://apiwiki.twitter.com/w/page/22554657/OAuth-Examples
Hope that helps
Related
I want to get twitter access token by just passing twitter user name and password.
Is there any way to get this?
Help me to solve this issue
Yes, you can. Twitter provides xAuth which allows you to submit a username and password, then get back your tokens.
Please note, there are two main restrictions.
You won't get DM access.
You need to specifically request xAuth access from Twitter
xAuth access is restricted to approved applications. If your application is a desktop or mobile application that has no other recourse but to utilize xAuth, send a detailed request to https://support.twitter.com/forms/platform.
I would strongly suggest that you find a way to incorporate the normal oAuth flow into your app.
I have a webapp which does a lot of ajax requests with the php server and database server. I have also created an iPhone app and an Android app, which have been working as offline apps till now.
Now I want to create an API which will be used to sync data between web server and smartphone apps. Should I be using OAuth for this? What I have read about OAuth - it seems like it is used if I want to open my API to be used by third party apps. But here I just want to ensure secure transfer of data between API and my own apps.
Can somebody shed some light on this?
The main usage of OAuth is to make third-party apps authorized to access private resources of a user on a website without giving user credentials to the third-party app. For example, suppose that Twitter wants to get the list of contacts from your Yahoo account. The traditional way is to give your username and password to Twitter. But with OAuth, you give them a temporary token (called Access Token) which authorizes Twitter to access your contacts on Yahoo for a limited amount of time (until either this token expires or you, as the owner of private resource, explicitly revoke it).
That said, OAuth is not about securely transmitting data on the web. That's another story which is usually achieved using SSL. Even when you use OAuth, you have to use SSL alongside to make sure data is sent and received securely.
So in your case, you have to see what the API is used for. If it's public API which doesn't give any private data to the callers, there is no need to use OAuth. If the API is for accessing private resources of individual users however, You may consider using OAuth. If you opt to implement OAuth, you may allow other third-party apps to access your API in future without any concern.
Well a lot depends on how you are securing your API. Is your API open to public specially the post urls? If your data is not something which every user should see, then how are you checking the authentication of the user credentials?
Most the important thing is that we should avoid sharing the username and password over the wire to check for authentication all the time. This means, your API should not require username and password to validate if the user is valid. Which you can do by sending the username and password from mobile or device id or some other thing.
In such situation, the OAuth server comes to the rescue. Basically, on one URL a user will send his username and password to get his access token. Once that is acquired, we can use the access token to validate each request and take necessary actions.
You can refer the videos where I have implemented OAuth server in Laravel 5 using bshaffer which is one of the best OAuth library for any PHP framework to user. https://www.youtube.com/watch?v=0vGXbWdtjls
I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.
Is it possible to authorize twitter console application without visiting authentication web page?
I need it because I'm developing app that grab direct messages from our corporate twitter. This console application is scheduled on web server and is not driven by human.
Regards,
Alexey Zakharov
You can ask Twitter for an access token by supplying a username and password using XAuth. This circumvents the need to redirect to OAuth webpages to get valid access without asking the user for username and password. Applications do need to ask permission from Twitter by email to be able to use this web service method. You should only use it to get a valid access token and then save that, and not persist the username/password in any way. It might be a suitable scenario for your console application?
Check out TWURL. It's command-line CURL with Twitter OAuth built in: http://github.com/marcel/twurl
Its possible to authorize any oAuth based API via Console.
if you have some sample code that your working with please share.
Also: http://p2p.wrox.com/content/articles/twitter-development-using-oauth-authenticate-against-twitter-api-walkthroughs
I've read through documentation where possible but unable to figure out this basic question. When using Oauth with Twitter in my web application, does it require the user to be logged into Twitter everytime?
For example, if a user authorises their account with my website, in future sessions, if they complete an action that posts to their twitter stream, will this occur without any problems, or would they need to re-sign in via Twitter?
Thanks guys!
The OAuth authorization actually allows your application to access their account whenever it wants. So the users do not even need to be there doing something with your web application to allow it to tweet something or such.
Your application is then able to use the key and token which it received in the authorization process to tell Twitter any time "hey, I am authorized to use this account" and basically works as the application's personal login credentials for that account.
No, they only need to be logged into Twitter when they go through the initial OAuth authorization. After that, your site talks directly to the Twitter API using tokens that it saved from earlier.
Ok I've setup a test-case and it looks like I was a bit wrong:
oauth_token, oauth_token_secret are unique for each user and they never change, so if you store them in your database you can reuse them. No matter if the user is logged in to twitter or not.
No, they will normally not need to re-authorize. If the token is revoked, however, they will, and your application needs to be able to handle this (by allowing them to do so). In general, this is true for any SSO system.
A twitter user can explicitly revoke an application's token at the provided page.