Twitter disabling basic authentication - what does this mean?

Question

According to apiwiki.twitter.com: "Basic authentication removal is going to occur on August 16, 2010" and their OAuth API will be the new method of authentication.

I'm new to the Twitter API and I'm very unclear as to what this applies to. I'm trying to create a simple app to post to Twitter via a HTML form - do I have to use the OAuth system? Or is the OAuth system just for apps (as implied by http://dev.twitter.com/).

If I have to use it, then why the lack of official libraries and code samples from Twitter (for PHP all I see are links to inactive open source projects)?

Does this mean that any twitter app/widget that isn't updated by August 16th will cease to work?

What is wrong with authenticating via HTTPS and POST requests?

Answer 1

Yes, you will need to use OAuth if you are posting anything to twitter through the API. There are some examples on the web, but Twitter rarely posts official libraries of code.

You are also correct in thinking that apps/widgets that authenticate will probably stop working after August 16th.

The reasoning against using basic auth is that you give your username and password to too many third party applications. In theory, those applications could then store your username and password, and later use that information to login to Twitter without your authorization. OAuth means Twitter can track the applications directly after you give permission to the application, and you can disable an application from the Twitter account management pages.

Answer 2

I'm trying to create a simple app to post to Twitter via a HTML form - do I have to use the OAuth system? Or is the OAuth system just for apps (as implied by http://dev.twitter.com/). [...] What is wrong with authenticating via HTTPS and POST requests?

It means that if you're using basic authentication, it will cease to work on that date. Basic authentication is part of the HTTP protocol and entails sending a username and password to the server in the HTTP headers on every request. This is not desirable; with OAuth you do not have to pass third parties your username and password, i.e., the application you're developing never knows what's the actual username and password of the user.

I see you're contemplating authenticating to twitter with the means reserved for browsers/users. You should not do that. It:

• Requires more work.
• Is not officially supported and consequently can stop working at any time.
• It may be against the terms of use (I haven't check).

I'm sorry, but you'll have to dedicate some time to learn OAuth authentication. There are several libraries for this.

Answer 3

If your app is simply updating a single account on twitter, you'll only need to do the request_token/authorization steps once for that account, and save the access token/secret to authenticate against the twitter API.

It's worth implementing the request/authorize step in your app though, is it's possible that access tokens will need to be refreshed in the future, and building it into the admin side of your app could be useful.

In the end though, just imagine that the access token/secret is your new username/password for twitter API access, and that you have to also "sign" your requests using your application's consumer key/secret.

Answer 4

There is a very useful OAuth library for PHP (oauth.googlecode.com/svn/code/php/) which takes care of the complicated stuff. Also have a look at code.42dh.com/oauth/ for simple examples on how to use OAuth. It helped me far more than dev.twitter.com which is nice for reference but lacks examples (for now).

I used OAuth.php (among others) to create http://twitter2rss.com/ in just about 2 evenings.