Twitter's OAuth Implementation

Published 6 September, 2010; last updated on 11 June, 2019; originally posted at blog.craiga.id.au.

Ryan Paul, writing for Ars Technia:

Aside from handling the consumer secret issue poorly, Twitter’s OAuth implementation has a number of bugs, defects, and inconsistencies that pose challenges for users and developers.

Third-party developers are finding that it is maddeningly difficult to debug client-side support for Twitter’s OAuth implementation because Twitter tends to spit out very generic 401 errors for practically every kind of authentication failure. It doesn’t provide enough specific feedback to make it possible for the developer to easily troubleshoot or isolate the cause when authentication is unsuccessful.

This is especially frustrating in situations where authentication is failing because of a bug or defect in Twitter’s implementation. For example, authentication will sometimes fail if the system clock on the end user’s computer is running slightly fast. This issue has to do with the timestamp that is embedded in the requests, but it’s not entirely obvious what causes it to occur.

The OAuth specification isn’t particularly complicated, but I found writing code to authenticate against Twitter beyond me. In the end, the OAuth PECL extension descended from heaven to save me, but I’ve still got no idea why it works where my own code didn’t.

It’s nice to know it wasn’t just me.

Some things I wrote

How to stop out-of-office replies to emails sent from Django

Published 8 April, 2024.

Testing your full Heroku stack

Published 7 July, 2021.

How to move fast without breaking things

HTMX & Django—bringing the new school to the old school

Published 17 May, 2021.

Transliteration—helping users get data from Word or Excel into legacy systems

Published 14 March, 2021.

Renaming master to main on GitHub and Heroku

Published 3 August, 2020.

Renaming example.com, Django's Default Site

Published 26 May, 2020.

A quick note to help others using Juniper, a Rust GraphQL library

Published 19 February, 2020.

Structured Data in 2020

Published 10 January, 2020.

Music in 2019

Published 30 December, 2019.

My favourite music of 2019.

Dark Mode in CSS

Published 16 October, 2019.

How to add dark mode to your web site.

Rough Trade Calendar

Published 1 August, 2019.

A thing I built to stay up-to-date with events at Rough Trade.

Reducing craiga.id.au's Carbon Footprint

Published 31 July, 2019.

Becoming a Greener Web Developer

Published 21 July, 2019.

Thoughts about the climate impact of my work, and what I can do about that impact.

Outsourcing Opinions

Published 21 March, 2019.

or: how I learned to stop worrying and love smart people

Handling Integrity Errors in Django Migrations

Published 4 March, 2019.

Short answer: don't 😉

Advice for attending your first open-source conference

Published 18 June, 2018.

Reflecting on DjangoCon Europe 2018

Published 29 May, 2018.

Personal highlights from my first open-source conference.

So, you're visiting Melbourne?

Published 8 February, 2018.

Craig's guide to his home town.

Those Years I Worked in an Ice Cream Shop

Published 22 June, 2011.

Back in the '90s, I was making waffle cones.

Weight Loss

Published 24 January, 2011.

Twitter's OAuth Implementation

Published 6 September, 2010.

unixtimesta.mp

Published 4 August, 2010.

Announcing my new project!

Courts, Places, and Culs-de-sac

Published 11 May, 2010.

Newer Australian suburbs seemed like a good idea, but are terrible in practice.

Determining a Parabola with a Vertex and Y-Intercept

Published 12 March, 2009.

Luminance

Published 27 October, 2008.

How to determine if text displayed on top of a colour should be black or white.

Some lists I made

Getting Craft Beer in London during COVID-19

Published 3 April, 2020.

A list of breweries with online shops which will deliver beer to me, a member of the public in East London.

Podcasts I like

Published 16 May, 2020.