But all I want to do is tweet!?

If you’re anything like me, you’ve got a collection of Twitter robots, written in various languages, the push automated tweets for applications like @city_cinema and @casamiacafe using code that looks like this:

curl -s \    
     -d 'status="Movie tonight!' \
     'http://city_cinema:XXXXXXX@twitter.com/statuses/update.xml'

And you probably noticed, despite months of warning, that your applications just up and stopped working on September 1, 2010 because of Twitter dropping support for Basic Authentication.

And so you went and read all about OAuth and grabbed an OAuth library and tried to make your way through the thicket of conceptual leaps required to grok the new way of doing things.

And then you threw up your hands and cried “but all I want to do is tweet!”.

When you get to this stage, here’s what you need to do (at least if you speak PHP):

1. Install the PECL oath package:

pecl  install oauth

2. Go to the Twitter Developer site and register a new application. This will feel strange to you – “I just want tweet!” – but you must do it. You’ll need to set the “Callback URL” to something, but as you’ll never actually use this, it can be anything.

3. Once you’ve added your new application, on its “Application Details” page you’ll find Consumer key and your Consumer secret; you’ll need these in a moment.

4. On the application’s “My Access Token” page you’ll find your Access Token and Access Token Secret; you’ll need these too.

You now have everything you need to tweet. Here’s the PHP you need to tweet it with:

<?php

$status = "Look, I'm tweeting from PHP!"; 
$consumer_key = 'XXXXXXXXXXXXXXXX';
$consumer_secret = 'XXXXXXXXXXXXXXXX';
$access_token = 'XXXXXXXXXXXXXXXX';
$access_token_secret = 'XXXXXXXXXXXXXXXX';

$oa = new OAuth($consumer_key,$consumer_secret,
     OAUTH_SIG_METHOD_HMACSHA1,
     OAUTH_AUTH_TYPE_URI);

$oa ->setToken($access_token, $access_token_secret);

$oa->fetch("https://twitter.com/statuses/update.json",
     array("status" => $status), OAUTH_HTTP_METHOD_POST);

?>

Of course this can be all prettied up and turned into a PHP class, and have error testing built in, but that’s the heart of it there.

Comments

Dave's picture
Dave on September 13, 2010 - 18:42 Permalink

It turns out I’m nothing like you! Who knew?

til's picture
til on September 15, 2010 - 12:14 Permalink

Sigh — it is sad seeing twitter making things much more complicated. If they had started their API with oauth only it wouldn’t have been that successful at all, I’m sure.

What annoys me most about this is that I don’t think basic auth is less secure, if used correctly. That is: always send it over https, and only use it for credentials of your own account like you do in the example above.

I think that disabling basic auth is only done to prevent the discouraged use of 3rd party apps storing other peoples primary credentials, and simplicity is the collateral damage :-(.

And I still don’t understand what the advantages of the whole request signing chore is over simply using https.

oliver's picture
oliver on September 16, 2010 - 00:12 Permalink

Maybe we’re not so much alike as I thought.