QueTwo's Blog

thouoghts on telecommunications, programming, education and technology

OAuth and Flex/AIR — Making Twitter work again.

Quite a while ago I posted an entry on how to make a quick Twitter Client.  Over the past few months, Twitter decided that basic authentication was no longer the best way to go, and they needed some way to help users protec their accounts.  Their solution is the OAuth protocol, which is now required for any functions that require authentication. 

I never really paid attention to this new authentication scheme until I went to create my VW “App My Ride” app that interacted with Twitter.  That app made me re-engineer my APIs and classes to meet the new authentication scheme.

What does this mean for the Flex or AIR developer?  Well, it means that you now have to incorporate the OAuth mechanism into your app, and if you were planning on using Twitter in a way that removed it from a web-browser completely — well, you rethink your authentication schemes.  Like so many of the authentication schemes that I have to deal with on a daily basis like Shibbloth, the authentication method forces you to open a trusted website to give your credentials to, which then pass back some sort of token to the application you are using.  This means the application must be well known to the authenticator, and it no longer directly holds the login and password information (but rather a revokble key). 

So, where does that leave you?  First, you have to head over to the OAuth enabled service that you wish to authenticate to, and register your application.  For example, for twitter, you will want to login to twitter, and head to http://dev.twitter.com.  There is a link to “Register your application”.  Once you have your two magic tokens (called the “Consumer Secret” and “Consumer Key”), you are ready to go.

From here you have two choices — you can either implement your own OAuth module yourself, or you can grab Dan Petitt’s (@coderanger) library and get a leg up.  His blog post where he introduces the module is available here : http://www.coderanger.com/blog/?p=59

In my case, I first imported the OAuth source code as downloaded from the blog above.  They should end up in the /src/com/coderanger folder (giving a package of com.coderanger).  Next, we will want to instantiate the OAuthManager class, passing in our Consumer Key and Consumer Secret that we got from Twitter.  You would do this like:

var oauth:OAuthManager = new OAuthManager();
oauth.usePinWorkflow = true;
oauth.oauthDomain = "twitter.com";
oauth.consumerKey = "insert your consumer key here";
oauth.consumerSecret = "insert your consumer secret here";

After the OAuth component returns, it will be populated with a few key pieces of data, and will fire the “OAuthEvent.ON_ACCESS_TOKEN_RECEIVED” event.  With this, you will get the AccessToken and the AccessTokenSecret, which, when combined with the PIN (this is not sent back, but will be supplied by the end-user), will allow authentication.  In order to call your OAuth enabled site, you will need the following bits of information for each call:

  • The OAuth Domain
  • The Consumer Key (Specific to your app)
  • The Consumer Secret (Specific to your app)
  • The PIN (Provided by User, after they get the OAuth website from the requestToken() call)
  • The Access Token (Returned by a successful RequestToken() call, and is specific to the user, and their PIN)
  • The Access Token Secret (Returned by a successful RequestToken() call, and is specific to the user and their PIN)

You will need to populate the OAuthManager instance with each of the above for it to work.  To actually make an authenticated call to Twitter at this point, you need to build an HTTP request that contains the above information encrypted. My code looks like this (the HTTP request will come back and return the data as XML) :

http = new HTTPService();
http.useProxy = false;
http.contentType = "application/x-www-form-urlencoded";
http.addEventListener(FaultEvent.FAULT, gotTwitterFail);
http.addEventListener(ResultEvent.RESULT, gotTwitterResult);
var postData:String = oauth.getSignedURI("GET", "http://api.twitter.com/1/statuses/home_timeline.xml");

http.url = "http://api.twitter.com/1/statuses/home_timeline.xml";
http.method = "GET";
http.send( new QueryString(postData).toPostObject() );

It is really not too hard, but it is different. I’ve also been able to authenticate to additional services since writting this particular Twitter app, such as some of the MSN and WordPress services.


5 responses to “OAuth and Flex/AIR — Making Twitter work again.

  1. Tam October 9, 2010 at 9:48 pm

    Thanks for the post. I tried something similar but I got a Security Error:

    Security ERROR: [SecurityErrorEvent type=”securityError” bubbles=false cancelable=false eventPhase=2 text=”Error #2048: Security sandbox violation: http://localhost:3000/bin/….”]

    Have you faced that error? if so how did you resolve it?

    • quetwo November 4, 2010 at 2:29 pm


      Without an audit of the code, I can’t say exactally what is going on. The Security Sandbox Violation error sounds like you are trying to connect to a web service or RESTful that is outside your domain (which sounds right for connecting to the Twitter application), but it dosen’t explicitly allow it via a crossdomain.xml document located in the document root. Are you trying to use the Twitter example, or are you trying to connect to another service?

  2. Mish January 16, 2011 at 2:28 am

    I think new OAuth implementation total pain in the ass especially for desktop client…. why Google made it more seamless without sending user to the website to login and copy some number? What kinda user experience we talking here?

  3. Vivian January 19, 2011 at 9:10 am

    For simple read the user timeline on Twiiter, do I need to use the Oauth? I saw some simple examples bulding a search Twitter app on Flex 4 so easily.

    • quetwo January 20, 2011 at 7:53 am

      If you want to interact with a paticular person’s timeline (read your friend’s timeline, read dm’s, post messages, etc), you will need to use OAuth. If you want to view 1 person’s timeline (for example, http://twitter.com/quetwo) or search, you do not need to authenticate. Searching is one of the easier functions, and does not require all this overhead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: