如何从 Web 应用程序访问仅授权 Twitter API 方法 [英] How can I access auth-only Twitter API methods from a web application

问题描述

我有一个适用于 iPhone 的网络应用程序，它最终将在 PhoneGap 应用程序中运行 - 但现在我在 Safari 中运行它.

I have a web application for iPhone, which will ultimately run within a PhoneGap application - but for now I'm running it in Safari.

应用程序需要访问来自 Twitter 好友的推文，包括私人推文.所以我使用 Scribe 库实现了 OAuth.我成功地将用户退回到 Twitter，让他们进行身份验证，然后退回.

The application needs to access tweets from Twitter friends, including private tweets. So I've implemented OAuth using the Scribe library. I successfully bounce users to Twitter, have them authenticate, then bounce back.

此时，Web 应用程序具有 oAuth 凭据(密钥和令牌)，并保留在本地.从这里开始，我希望它使用 Twitter statuses/user_timeline.json 方法来获取特定用户的推文.我有使用 JSONP 请求的应用程序成功地使用不受保护的推文执行此操作；当它访问私人 Twitter 提要的时间线时，应用中会出现一个 HTTP 基本身份验证对话框.

At this point the web app has oAuth credentials (key and token) which it persists locally. From here on I'd like it to user the Twitter statuses/user_timeline.json method to grab tweets for a particular user. I have the application using JSONP requests to do this with unprotected tweets successfully; when it accesses the timeline of a private Twitter feed, an HTTP basic authentication dialog appears in the app.

我相信我需要向 Twitter 提供 OAuth 凭据，以便我的 Web 应用程序可以识别和验证自己.Twitter 建议通过添加 HTTP Authorization 标头来这样做，但由于我对请求使用 JSONP，因此我认为这不适合我.我的假设是否正确?

I believe that I need to provide the OAuth credentials to Twitter, so that my web application can identify and authenticate itself. Twitter recommends doing so through the addition of an HTTP Authorization header, but as I'm using JSONP for the request I don't think this is an option for me. Am I right in assuming this?

因此，我的选择似乎是将 oAuth 凭据作为查询字符串参数(Twitter 建议反对，但文档建议仍然支持)；或通过中间服务器代理所有推文.我宁愿避免后者.

My options therefore appear to either be putting the oAuth credentials as query-string parameters (which Twitter recommends against, but documentation suggests still supports); or proxying all the Tweets through an intermediate server. I'd rather avoid the latter.

我使用表单的 URL 访问 Twitter API

I access the Twitter API using URLs of the form

http://api.twitter.com/1/statuses/user_timeline.json?user_id=29191439&oauth_nonce=XXXXXXXXXXX&oauth_signature_method=HMAC-SHA1&3-SHA1&3er_timeline.json?user_id=29191439&oauth_nonceXXXXXXXXXX&oauth_signature=XXXXXXXXXX&oauth_version=1.0

当 user_id 是公共用户时，这可以正常工作.当 user_id 是私人用户时，我会收到 HTTP Basic Auth 对话框.知道我做错了什么吗?我希望它像忘记一个重要参数"这样简单的令人尴尬的事情......

When user_id is a public user, this works fine. When user_id is a private user, I get that HTTP Basic Auth dialog. Any idea what I'm doing wrong? I'm hoping it's something embarrassingly simple like "forgetting an important parameter"...

推荐答案

oAuth 节需要准确，按照 http://dev.twitter.com/pages/auth#auth-request - 我最终构建了一个 Authorization: 标头，我可以首先检查它卷曲.

The oAuth stanza needs to be exact, as per http://dev.twitter.com/pages/auth#auth-request - I ended up building an Authorization: header that I could first check with curl.

我使用 http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/

这是受保护用户的好友 API 请求:

Here's a friends API request for a protected user:

curl -v -H 'Authorization: OAuth realm="https://api.twitter.com/1/friends/ids.json", oauth_consumer_key="XXXXXXXXXXXXXXXX", oauth_token="XXXXXXXXXXXXXXXX", oauth_nonce="XXXXXXXXXXXXXXXX", oauth_timestamp="1300728665", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="XXXXXXXXXXXXXXXX%3D"' https://api.twitter.com/1/friends/ids.json?user_id=254723679

值得重申的是，正如您尝试做的那样，而不是通过例如设置 Authorization 标头jquery 的 beforeSend 函数，对于跨域 JSONP 请求(不能添加 HTTP 标头)，您可以通过将所有相关的键/值对放在 GET 请求中来发出 oAuth 请求.这应该有望帮助其他各种提问者，例如

It's worth re-iterating that as you've tried to do, instead of setting the Authorization header via e.g. jquery's beforeSend function, that for cross-domain JSONP requests (which can't add HTTP headers) you can make oAuth requests by putting all the relevant key/value pairs in the GET request. This should hopefully help out various other questioners, e.g

1. 使用 jQuery.ajax 和 JSONP 设置标题?
2. 修改 JSONP 请求的 HTTP 标头
3. 仅使用 JQuery 更新 Twitter (OAuth)

您的请求看起来有几个问题；它缺少用户的 oauth_token 加上 oauth_signature 看起来不像是 base64 编码的(因为它分别缺少十六进制编码的 = 或 ==、%3 或 %3D%3D).

Your request looks like it has a couple of problems; it's missing the user's oauth_token plus the oauth_signature doesn't look like it has been base64 encoded (because it's missing a hex encoded = or ==, %3 or %3D%3D respectively).

这是我使用 oAuth 编码的查询字符串参数的 GET 等效项，您可以在跨域 JSONP 调用中使用它:

Here's my GET equivalent using oAuth encoded querystring params, which you can use in a cross-domain JSONP call:

https://api.twitter.com/1/friends/ids.json?user_id=254723679&realm=https://api.twitter.com/1/friends/ids.json&oauth_consumer_key=XXXXXXXXXXXXXXXX&oauth_token=XXXXXXXXXXXXXXXX&oauth_nonce=XXXXXXXXXXXXXXXX&oauth_timestamp=1300728665&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=XXXXXXXXXXXXXXXX%3D

这篇关于如何从 Web 应用程序访问仅授权 Twitter API 方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！