Migrating from Twitter Basic Authentication to OAuth Credentials

August 13, 2010

At the end of August 2010, all Twitter apps that use Basic Authentication to post/query the API will no longer work. Apps need to migrate to OAuth authentication, but this can be a little tricky. I’ve created something for my particular use-case that you might find useful too.

I have a number of automated ‘bot’ accounts that use the Twitter API to post status updates, including @freelondon, @freenewyork, @reboundfinder, @twitexperiment and 17 accounts that I follow/unfollow automatically via the API.

Now, I don’t really need the full security benefits of OAuth, because I’m not authenticating third-party Twitter accounts – I’m just posting to MY accounts, so OAuth is a little over-the-top. I already know MY username/password, so passing them to the Twitter API is no big deal. But I have to switch to OAuth, because everyone has to.

OAuth is a pain-in-the-posterior because you have to ‘authenticate’ all of your accounts against registered ‘applications’. This means that I don’t just post my username/password to the API for my 17 accounts in order to follow/unfollow, but I have to set up a registered ‘app’ and go through the authentication process for each account. I don’t have the power to ask Twitter for an XAuth account, so this also entails a browser-based authentication process. For each account. And then updating the code to use the new credentials.

Anyway, I have a bunch of ‘apps’ that I need to validate my accounts against, so I built a very simple form that allows me to input the details (token/secret) of each registered app, and then authenticate each (logged in) user, to grab the new token/secret authentication details for each user/app combination. I can then use these in my updated code to make OAuth based requests to the API.

If you need to get OAuth tokens/secrets for users too, so that you can change from Basic to OAuth, you may find that my form saves you a little time – just input your app token/secret, and authenticate each user in turn. You’ll get the token/secret back for each user, that you can use instead of the un/pw to access the API via OAuth.

You can find the form here:


However, you may (and should) find the idea of handing over your app secret/token to a third-party site a little dodgy. So, I’ve also made the source available, so you can install the form on your own server:


Note that you’ll also need to download Abraham’s PHP Twitter OAuth library, and put it in an ./oauth/ directory in the same directory as the script.

What this form does is allows you to enter your app’s token/secret, and then authenticate the currently logged-in Twitter user, returning the token/secret for that particular user. You can then update your bot code so that it uses Abraham’s OAuth library with something like:

$connection->post(‘statuses/update’, array(‘status’ => ‘This is the new updated status text’));

As you can see, once you have the key/secret for both an app and each user, and you use Abraham’s library, it’s not that much more difficult than Basic Authentication – it’s just that you have to authenticate each of your users to get their token/secret, rather than using their un/pw.

On a final note, it’s worth mentioning the single access-token short-cut if your use-case involves a single Twitter account (thanks ffffelix for this).

Tags: , , , , , , , , ,

Leave a Reply