Twitter Reverse Auth Headaches

by Kwasi Mensah

February 16th, 2013

Twitter Reverse Auth Headaches

tl;dr Here’s a script that shows how generate a Twitter reverse auth request token in ruby. If you’re not a coder this post might not be very interesting…

Last week we added the ability for players to sign in to our game use Twitter. This took a lot longer that I thought it would. A lot of the headache was figuring out how generate the request token (step 1 in this Twitter API document). It turns out you can’t do this from an iPhone without including a lot more code and shipping the app with some pretty sensitive information[1][2].

So I added a functionality to our Ruby on Rails server to generate it for us and return it to the app. Below is a quick ruby script I put together to help test reverse auth token generation that you can run locally (assumes you have the oauth gem installed). Hope this helps!

Test Script

require 'oauth'

Example Usage:
Assuming this script is saved to 'reverse_auth_token.rb'
ruby reverse_auth_token.rb CONSUMER_KEY CONSUMER_SECRET

Used solely for testing. Be careful entering sensitive information into your shell.

consumer_key = ARGV[0]
consumer_secret = ARGV[1]

consumer = consumer_key, consumer_secret,
                      :site => "",
                      :scheme => :header,
                      :http_method => :post,
                      :request_token_path => "/oauth/request_token",
                      :access_token_path => "/oauth/access_token",
                      :authorize_path => "/oauth/authorize"

reverse_auth_token = ""
request_token = consumer.get_request_token( {}, 
			{"x_auth_mode" => "reverse_auth"} ) do |response|
  reverse_auth_token = response

  #needed because OAuth::Token is expecting a json hash. 
  #But since twitter reverse auth token isn't
  #formatted like that it'll raise and error

puts "\nReverse Auth Token:"
puts reverse_auth_token


Note 1: Using TWRequest or SLRequest will always sign your request with the consumer key and consumer secret of the iOS Twitter app. There’s no (documented) way to get those classes to use your app’s consumer key and secret. There is an official Twitter example project to show how you can add this functionality but it means including a lot more code and shipping your consumer secret in your app (which could be a security issue).

Note 2: Player credentials aren’t needed to make this request token. Which makes it really tempting to pregenerate this and store this in your app’s configuration. But even though we’re suppsoed to treat the token as an opaque string it includes a timestamp and Twitter requests timeoout if there’s too much of a time skew between when they’re generated and when Twitter handles them. Again, since this is supposed to be an opaque string, I’m not sure if the timestamp is actually used but we generate it every time just to be safe.

Post a Comment

You must be logged in to post a comment.