The
OAuth
protocol became one of the dominant ways to perform authorization in the emerging amount of web applications and services. The final draft of v1.0 was released in 2007. In 2009, v1.0a was published to fix a security flaw known as session fixation.
In October 2012, OAuth 2.0 was released. It is not backward compatible with OAuth 1.0a. OAuth 2.0 received a lot of negative criticism, even though some of the major providers (such as Google or Facebook) support OAuth 2.0 already. Furthermore, the new protocol specification leaves too many open points to the implementer, which makes it somewhat hard to apply a generic approach to.
In this recipe, we will cover the OAuth 1.0a protocol and how it can be used to authorize your access to the Twitter API.
The scenario that we will try to achieve is a standalone application that reads tweets on a user's behalf:
oauth-signpost
library (http://code.google.com/p/oauth-signpost/) that offers lightweight support for the OAuth 1.0a protocol.@Grab('oauth.signpost:si parentFilegnpost-core:1.2.1.2') import oauth.signpost.basic.DefaultOAuthConsumer import oauth.signpost.basic.DefaultOAuthProvider import oauth.signpost.OAuth def consumer = new DefaultOAuthConsumer('...', '...') def provider = new DefaultOAuthProvider( 'http://twitter.com/oauth/request_token', 'http://twitter.com/oauth/access_token', 'http://twitter.com/oauth/authorize') String authUrl = provider. retrieveRequestToken( consumer, OAuth.OUT_OF_BAND ) println "Open this URL in the browser: ${authUrl}" print 'Authorize application and enter pin code: ' def pinCode = null System.in.withReader { pinCode = it.readLine() println() } provider.retrieveAccessToken(consumer, pinCode) println "Access token: ${consumer.token}" println "Token secret: ${consumer.tokenSecret}"
Now, we are ready to send authorized requests to twitter through our script:
RESTClient
class, which is part of the HTTPBuilder
library:@Grapes([ @Grab( group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.6' ), @Grab('oauth.signpost:signpost-commonshttp4:1.2.1.2'), @Grab('oauth.signpost:signpost-core:1.2.1.2') ]) import groovyx.net.http.RESTClient
def consumerKey = '...' def consumerSecret = '...' def accessToken = '...' def tokenSecret = '...'
For obvious reasons, you need to add your own values.
RESTClient
instance:def url = 'https://api.twitter.com/1.1/statuses/' def twitter = new RESTClient(url)
OAuth
details in the following way:twitter.auth.oauth(consumerKey, consumerSecret, accessToken, tokenSecret)
println twitter.get(path : 'mentions_timeline.json').data
Under the hood, HTTPBuilder
uses the oauth-signpost
library to sign HTTP requests with OAuth-specific headers. This gives the ability to access the public APIs on behalf of a user. It is important to understand that, for each new application (consumer) and for each different Twitter user you need a separate set of keys, tokens, and secrets. If your script needs to access different user data on their behalf, then you need to generate a new access token and a token secret, which requires the active involvement of the user.