As some of you might know, on August 16th 2010 (it was June 30th at first, but they moved it because of the World cup), Twitter will be shutting down its basic authorization in favor of OAuth. Well Facebook also announced that they would be soon using OAuth. Google and Yahoo! use it too. Looks like it is a good time to learn it.
OAuth, contrary to what some might say is not that easy of a process. It involves a couple more steps than basic authorization. But what it gains from that is trust. The user never has to enter its username and password on your site. My problem with it is that I find that it breaks the user experience because it usually redirects the user’s browser to the website of which you want to use the API, so that the user can input its credentials and that they can allow your application to use data from the API. If you are not familiar with OAuth, here is a great beginner’s guide.
Here is a picture of all the steps involved in the process:
Now what I wanted to write about was the twitteroauth library for PHP by @abraham. I tried to try the other OAuth PHP library that is listed in the Twitter documentation but I couldn’t figure out anything; they talk about Two-Legged OAuth and Three-Legged OAuth, but I have never seen that anywhere. twitteroauth on the other hand is pretty simple to understand. By reading the documentation and starting with the example provided in the source code, I was able to implement what I wanted.
Now I wasn’t the one who created the application on Twitter (which you have to do before you get started with code), so there was a couple of settings that weren’t right at first. You can set if you want your application to be Read-only or Read & Write. Obviously if you want to send Tweets using your application, you will need it to be set to Read & Write. Also in order to use this library you must set your application as a Browser application (as opposed to Client which will not work). I just thought it would be good to list those here so that others (and I) don’t spend the half hour I lost trying to figure this out.
Here is another really interesting tidbit: once you create an authorization token, Twitter will never destroy it. This is not the same for all APIs (I know Yahoo! will expire the token after some time). So once you lead the user through all of the OAuth steps, you can keep the token and use it forever so that the user don’t have to go through the steps again, which is very useful for mobile and desktop apps. It also opens up possibilities for other stuff too, which I will show you eventually, if my current project ever finishes.
Well that is is for now, there will be more on OAuth soon as my next project also connect to another API that uses OAuth.