QueTwo's Blog

thouoghts on telecommunications, programming, education and technology

Monthly Archives: July 2010

OAuth and Flex/AIR — Making Twitter work again.

Quite a while ago I posted an entry on how to make a quick Twitter Client.  Over the past few months, Twitter decided that basic authentication was no longer the best way to go, and they needed some way to help users protec their accounts.  Their solution is the OAuth protocol, which is now required for any functions that require authentication. 

I never really paid attention to this new authentication scheme until I went to create my VW “App My Ride” app that interacted with Twitter.  That app made me re-engineer my APIs and classes to meet the new authentication scheme.

What does this mean for the Flex or AIR developer?  Well, it means that you now have to incorporate the OAuth mechanism into your app, and if you were planning on using Twitter in a way that removed it from a web-browser completely — well, you rethink your authentication schemes.  Like so many of the authentication schemes that I have to deal with on a daily basis like Shibbloth, the authentication method forces you to open a trusted website to give your credentials to, which then pass back some sort of token to the application you are using.  This means the application must be well known to the authenticator, and it no longer directly holds the login and password information (but rather a revokble key). 

So, where does that leave you?  First, you have to head over to the OAuth enabled service that you wish to authenticate to, and register your application.  For example, for twitter, you will want to login to twitter, and head to http://dev.twitter.com.  There is a link to “Register your application”.  Once you have your two magic tokens (called the “Consumer Secret” and “Consumer Key”), you are ready to go.

From here you have two choices — you can either implement your own OAuth module yourself, or you can grab Dan Petitt’s (@coderanger) library and get a leg up.  His blog post where he introduces the module is available here : http://www.coderanger.com/blog/?p=59

In my case, I first imported the OAuth source code as downloaded from the blog above.  They should end up in the /src/com/coderanger folder (giving a package of com.coderanger).  Next, we will want to instantiate the OAuthManager class, passing in our Consumer Key and Consumer Secret that we got from Twitter.  You would do this like:

var oauth:OAuthManager = new OAuthManager();
oauth.usePinWorkflow = true;
oauth.oauthDomain = "twitter.com";
oauth.consumerKey = "insert your consumer key here";
oauth.consumerSecret = "insert your consumer secret here";

After the OAuth component returns, it will be populated with a few key pieces of data, and will fire the “OAuthEvent.ON_ACCESS_TOKEN_RECEIVED” event.  With this, you will get the AccessToken and the AccessTokenSecret, which, when combined with the PIN (this is not sent back, but will be supplied by the end-user), will allow authentication.  In order to call your OAuth enabled site, you will need the following bits of information for each call:

  • The OAuth Domain
  • The Consumer Key (Specific to your app)
  • The Consumer Secret (Specific to your app)
  • The PIN (Provided by User, after they get the OAuth website from the requestToken() call)
  • The Access Token (Returned by a successful RequestToken() call, and is specific to the user, and their PIN)
  • The Access Token Secret (Returned by a successful RequestToken() call, and is specific to the user and their PIN)

You will need to populate the OAuthManager instance with each of the above for it to work.  To actually make an authenticated call to Twitter at this point, you need to build an HTTP request that contains the above information encrypted. My code looks like this (the HTTP request will come back and return the data as XML) :

http = new HTTPService();
http.useProxy = false;
http.contentType = "application/x-www-form-urlencoded";
http.addEventListener(FaultEvent.FAULT, gotTwitterFail);
http.addEventListener(ResultEvent.RESULT, gotTwitterResult);
var postData:String = oauth.getSignedURI("GET", "http://api.twitter.com/1/statuses/home_timeline.xml");

http.url = "http://api.twitter.com/1/statuses/home_timeline.xml";
http.method = "GET";
http.send( new QueryString(postData).toPostObject() );

It is really not too hard, but it is different. I’ve also been able to authenticate to additional services since writting this particular Twitter app, such as some of the MSN and WordPress services.