为什么我的Twitter OAuth访问令牌无效/已过期 [英] Why is my twitter oauth access token invalid / expired
问题描述
我正在使用Twitter将用户登录到一个网站,在我尝试获取有效的访问令牌之前,它似乎一直在工作.
I am using Twitter to log users into to a website, which seems to be working up until I attempt to obtain a valid Access Token.
require("twitteroauth.php");
require 'twconfig.php';
session_start();
$twitteroauth = new TwitterOAuth(YOUR_CONSUMER_KEY, YOUR_CONSUMER_SECRET);
$request_token = $twitteroauth->getRequestToken('http://****/tw_response.php');
$oauth_token = $request_token['oauth_token'];
$_SESSION['oauth_token'] = $oauth_token;
$oauth_token_secret = $request_token['oauth_token_secret'];
$_SESSION['oauth_token_secret'] = $oauth_token_secret;
if ($twitteroauth->http_code == 200) {
url = $twitteroauth->getAuthorizeURL($request_token['oauth_token']);
header('Location: '.$url);
} else {
die('Something wrong happened.');
}
这似乎工作正常,将我重定向到Twitter以登录并确认访问权限,然后将我返回到tw_response.php(我的回调URL),并在URL中包含以下变量:
This seems to be working correctly, redirecting me to twitter to sign in and confirm access, after which it returns me to tw_response.php (my Callback url), with the following variables in the url:
http://example.com/login.php?oauth_token=sO3X...yj0k&oauth_verifier=Ip6T...gALQ
然后在tw_response.php中,我尝试获取访问令牌,但报告为无效.我尝试使用var_dump来查看访问令牌的内容,如下所示:
In tw_response.php I then try to get the Access Token, but it reports as invalid. I tried using var_dump to view the content of the access token as follows:
require("twitteroauth.php");
require 'twconfig.php';
session_start();
$oauth_verifier = $_REQUEST['oauth_verifier'];
$oauth_token = $_SESSION['oauth_token'];
$oauth_token_secret = $_SESSION['oauth_token_secret'];
$twitteroauth = new TwitterOAuth(YOUR_CONSUMER_KEY, YOUR_CONSUMER_SECRET, $oauth_token, $oauth_token_secret);
$access_token = $twitteroauth->getAccessToken($data['oauth_verifier']);
var_dump($access_token);
var_dump的结果以无效/过期的令牌"结尾:
The result of the var_dump ends in "invalid / expired Token":
array(8) {
["oauth_url"] => string(104) ""1.0" encoding="UTF-8"?>/oauth/access_token?oauth_consumer_key=ceE...9Dg"
["oauth_nonce"]=> string(32) "c52...d07"
["oauth_signature"]=> string(28) "ry7...Fcc="
["oauth_signature_method"]=> string(9) "HMAC-SHA1"
["oauth_timestamp"]=> string(10) "1359031586"
["oauth_token"]=> string(40) "sO3...j0k"
["oauth_verifier"]=> string(43) "Ip6...ALQ"
["oauth_version"]=> string(63) "1.0 Invalid / expired Token "
}
推荐答案
$access_token = $twitteroauth->getAccessToken($data['oauth_verifier']);
var_dump($access_token);
$data是从哪里来的?您具有变量$oauth_verifier,但是请记住,如果这是您注册的回调URL,则不需要此变量.
Where did $data magically come from? You have the variable $oauth_verifier, but keep in mind you don't need this if this is your registered callback URL.
由于您在getAccessToken中使用了无效变量,因此它将返回一个无效值.
Since you used an invalid variable inside getAccessToken, it will return an invalid value back.
使用TwitterOAuth的正确方法:
The correct way to use TwitterOAuth:
if (!isset($_GET["oauth_token"])) {
// set these values in a config file somewhere.
$twitter = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET);
// append a ?. This is your callback URL if you specify something.
$credentials = $twitter->getRequestToken("http://example.com/test.php?");
// try and be a bit more elegant with the URL... This is a minimal example
$url = $twitter->getAuthorizeUrl($credentials);
echo $url;
// these are temporary tokens that must be used to fetch the new,
// permanent access tokens. store these in some way,
// session is a decent choice.
$_SESSION["token"] = $credentials["oauth_token"];
$_SESSION["secret"] = $credentials["oauth_token_secret"];
} else {
// use the user's previously stored temporary credentials here
$twitter = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET,
$_SESSION["token"], $_SESSION["secret"]);
// uses the oauth_token (from the request) already.
// you store these credentials in your database (see below).
$credentials = $twitter->getAccessToken($_GET["oauth_verifier"]);
// just a printout of credentials. store these, don't display them.
echo "<pre>";
var_dump($credentials);
// valid credentials, provided you give the app access to them.
echo "</pre>";
}
我只使用单个脚本进行回调,以简化使用;您可以根据需要将相关部分分成多个脚本(并且您可能应该这样做).
I just use a single script for callbacks for ease of use; you can split the relevant sections into multiple scripts if you like (and you probably should).
对于您的数据库,凭据也很方便地包括twitter用户的用户名.
编辑: Twitter现在正在为用户ID分配64位整数 .您应该将其存储为字符串,以确保如果不能在应用程序的每个部分中处理64位整数,都不会导致用户ID和冲突冲突.
Handily for your database, the credentials include the twitter user's username, too.
Edit: Twitter is now allocating 64bit integers for user IDs. You should store this as a string to ensure that you don't end up with mangled user IDs and collisions if you can't handle 64bit integers in every part of your application.
array(4) {
["oauth_token"]=>
string(50) "7041...wYupkS"
["oauth_token_secret"]=>
string(42) "O9ENq...21B2fk"
["user_id"]=> // user ID. always the same, never changes (store this as ID)
string(9) "..."
["screen_name"]=> // username. can change.
string(11) "..."
}
因此,如果您想通过Twitter登录用户,而无需明确授予他们登录站点的权限,则可以使用$_SESSION(我使用数据库进行登录,如果要保存该状态,建议使用此数据库)
在上面的脚本中,您可以将其添加到else块的末尾:
So, if you want to log users in through twitter, without explicitly giving them a login to your site, you could use $_SESSION (I use databases for my logins, which is recommended if you want to save that state)
In the above script you would add this to the end of the else block:
$_SESSION["token"] = $credentials["oauth_token"];
$_SESSION["secret"] = $credentials["oauth_secret"];
$_SESSION["username"] = $credentials["screen_name"];
您还可以从 GET account/verify_credentials 获取用户的屏幕名称以及更多信息,如果您想给他们一个用户页面(如果您使用javascript,请通过id_str在此处获取他们的用户名):
You can also get the user's screen name and more from GET account/verify_credentials, if you want to give them a user page (if you use javascript, grab their userid through id_str here):
$user_array = $twitter->get("account/verify_credentials");
这篇关于为什么我的Twitter OAuth访问令牌无效/已过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
