Twitter's OAuth Implementation

Published 6 September, 2010; last updated on 11 June, 2019; originally posted at

Ryan Paul, writing for Ars Technia:

Aside from handling the consumer secret issue poorly, Twitter’s OAuth implementation has a number of bugs, defects, and inconsistencies that pose challenges for users and developers.

Third-party developers are finding that it is maddeningly difficult to debug client-side support for Twitter’s OAuth implementation because Twitter tends to spit out very generic 401 errors for practically every kind of authentication failure. It doesn’t provide enough specific feedback to make it possible for the developer to easily troubleshoot or isolate the cause when authentication is unsuccessful.

This is especially frustrating in situations where authentication is failing because of a bug or defect in Twitter’s implementation. For example, authentication will sometimes fail if the system clock on the end user’s computer is running slightly fast. This issue has to do with the timestamp that is embedded in the requests, but it’s not entirely obvious what causes it to occur.

The OAuth specification isn’t particularly complicated, but I found writing code to authenticate against Twitter beyond me. In the end, the OAuth PECL extension descended from heaven to save me, but I’ve still got no idea why it works where my own code didn’t.

It’s nice to know it wasn’t just me.