Kantter v0.2 – now with OAuth

This entry was posted Wednesday, 10 June, 2009 at 12:18 am

After a bit of playing around, I finally managed to get OAuth authorization working, and integrated with Kantter. The fruits of my labour can been seen below with my very first twitter status update using Kantter.

kantter v0.2

I was too lazy to actually read the documentation about how OAuth works, but I found a decent python oauth implementation, complete with an understandable example of a twitter client. From just looking at the code, this is how I’ve interpreted OAuth works:

  1. A Service Provider (Twitter) issues a Consumer (Kantter) with the consumer’s key/secret pair
  2. The Consumer (Kantter) uses the consumer’s key/secret pair to sign a request
  3. The Consumer (Kantter) then sends this signed request to the Service Provider (Twitter) to request approval to do stuff on behalf of the User (Me)
  4. The Service Provider (Twitter) then send back a key/secret pair to be associated with a User (Me)
  5. The Consumer (Kantter) prompts the User (Me) to approve the the request with the Service Provider (Twitter) using the user’s key as a reference for the request
  6. The User (Me) approves the request with the Service Provider (Twitter) – ie. logs into twitter, supplies the user key, and approves the request
  7. All further requests from the Consumer (Kantter) to the Service Provider (Twitter) areĀ  signed by both the consumer’s key/secret pair and the user’s key/secret pair

Therefore the Service Provider (Twitter) trusts the Consumer (Kantter) based on the consumer key/secret pair. Based on this trust, the Service Provider (Twitter) issues key/secret pair to the Consumer (Kantter) to be approved for use by the User (Me) – the user’s key/secret pair is associate with both the Consumer (Kantter) and the User (Me). Finally, by having the User (Me) give approval to the Service Provider (Twitter) for the use of the user key, any request that is signed using both the consumer’s key/secret pair and the user’s pair is considered a valid request from the Consumer (Kantter) on behalf of the User (Me).

So as long as Kantter knows my key/secret pair, I can interact with Twitter without ever having to supply my credentials (or until I revoke the key/secret pair).

Unfortunately this may have some security implications if the key/secret are stored in a config file that is viewable by other people. It also means that using Kantter for multiple Twitter accounts won’t be as simple as supplying a different username/password when the application starts.

Things to consider later. For now I’m just happy that OAuth is working

1 Comment to Kantter v0.2 – now with OAuth

  1. Jonathan says:

    June 10th, 2009 at 10:11 am

    Impressive!

Leave a comment