Twitter & OAuth 101What’s this twit all about?

Andy Badera (@andrewbadera)andrew@badera.us

http://blog.badera.us/TVUG October 2009

Background

The Numbers

79.7M users as of October 4th (all inclusive; ~50M “official”)

$153M in funding as of end of September

28,000+ applications

30,000+ developers

$23M+ invested in third party app startups

Growth April 2008-2009

Via TechCrunch

APIs

REST API

Search API

Streaming API

REST API

api.twitter.com

Returns: XML, JSON, RSS, ATOM

Read timelines

Send tweets

Read/send Direct Messages

Search API

http://search.twitter.com/

Returns: JSON, ATOM

Trends

Terms (“from:andrewbadera”)

Geolocation (“near:albany within:5miles”)

New Stuff

Geolocation (improved)

Group Lists

Retweet API

Address Book

Apple Push

Search API cleanup

Fab Four

Platform Team?

Trademark Controversy

What’s safe to use?

Avoid “Twitter”

Avoid bird graphics

Avoid similar UI

Biz sez: “Use ‘tweet.’”

Goals

Register a new OAuth application

Retrieve timelines

Send Tweets

Send/Receive Direct Messages

Query Search API

.NET & Twitter

Expect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false;

302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers["Location"] ).ToString(); this.CookieContainer.Add( response.Cookies ); }

64-bit IDs (ulong - Convert.ToUInt64(“”))

LinqToTwitter http://www.codeplex.com/LinqToTwitter

Tweetsharp http://code.google.com/p/tweetsharp/

DotNetOpenAuth http://dotnetopenauth.net:8000/

RateLimit

Ratelimit: 150 REST GETs/hour

X-RateLimitX-RateLimit-RemainingX-RateLimit

Whitelisted: 20000

Whitelisting

http://twitter.com/help/request_whitelisting

Turnaround time

In the beginning, HTTP Basic

HTTP Basic Authorization

Simple

Familiar

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Basic Auth Pulls a Fail Whale

Downsides of HTTP Basic Auth

Base64(byte[] “username:password”)

Giving credentials away to third parties

Password change

Trust

Rate limit by application IP

O-wot?

Secure API authorization

Blaine Cook (Twitter)

Chris Messina (Ma.gnolia)

Currently: OAuth 1.0A

OAuth.net

Shannon Whitley’s OAuthBase.cs

How OAuth Works

Shared secret

Nonce

Timestamp

OAuth & Twitter

Moves burden of ratelimit to user account

Read/write (typical)

Sign-in with Twitter

“Guns for cash” – one time auth

Timelines

That’s cool, but …

Real-time Search

User-Agent!

Common OAuth Gotchas

Technical

Parameter sorting

Parameter URL encoding

Server clock

Social

OAuth is not a panacea!

Use common sense!

OAuth Best Practice

“As with OpenID, OAuth is difficult to implement correctly and securely.  Pick a good, dependable library to take a dependency on instead.”

--Andrew ArnottDotNetOpenAuth Authorvia email

Q&A

Thanks for your time.

Any questions?

Drinks!

JJ Rafferty’s

Route 9

North of Latham Traffic Circle on right

Next to Price Chopper parking lot

Across from Red Robin

Bibliography

Alex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20

Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/

Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html

Resources

Twitter API docs http://apiwiki.twitter.com/

Twitter Dev list http://groups.google.com/group/twitter-development-talk

API blog http://apiblog.twitter.com/ (not well updated)

@andrewbadera (http://twitter.com/andrewbadera)

http://blog.badera.us/

andrew@badera.us