OAuth made simple(r)
With the looming (as of May 2010), shutdown of Basic Authentication on Twitter, I had to finally figure out OAuth and how I was going to use it. I use a very simple C# Twitter client that I wrote in my free time. Since I am the only user of the client, OAuth is somewhat overkill because the only password floating through the app is my own, but regardless Twitter has mandated OAuth.
My initial plan was to find the easiest library to use, throw it in, and let it do its thing. I was dismayed to find that most OAuth libraries for .NET are monolithic, consisting of multiple DLLs and thousands of lines of code. In addition, I found the example code associated with them to be unclear and much too steep a learning curve just to do my simple OAuth.
I found the OAuth reference implementation, OAuthBase.cs, but as soon as I started using it I realized it would not be compatible with Twitter's OAuth requirements. Since the entire OAuthBase class is under 400 lines of code, I was able to grok it pretty quickly and add in the missing functionality to make it Twitter-compatible (namely adding oauth_callback and oauth_verifier).
This library solely deals with OAuth plumbing. Building and sending HTTP requests and parsing HTTP responses are outside the scope of the library. System.Net.HttpWebRequest and System.Net.WebResponse make the network transport side very easy.
The following changes were made to support Twitter and/or enhance the library.
OAuthBase.cs was designed for OAuth 1.0. My modifications make it compliant with Twitter's OAuth 1.0a implementation, but I cannot guarantee that it is broadly OAuth 1.0a compliant.
The single, most important function is GenerateSignature:
public string GenerateSignature( Uri url, // Twitter OAuth URL (request_token, access_token) (required) string callback, // callback URL or "oob" for out-of-band (optional) string consumerKey, // consumer key (required) string consumerSecret, // consumer secret key (required) string token, // token (optional) string tokenSecret, // token secret (optional) string httpMethod, // HTTP method (GET, POST) (required) string timeStamp, // timestamp (required) string verifier, // verifier returned by Twitter or OOB PIN (optional) string nonce, // nonce value (required) out string normalizedUrl, // returns a normalized string URL of 'url' out string normalizedRequestParameters // returns request parameters )
Based on the "Acquiring a request token" example from Authenticating Requests
OAuth.OAuthBase oauth = new OAuth.OAuthBase();
Uri rq = new Uri("https://api.twitter.com/oauth/request_token");
string callback = "http://localhost:3005/the_dance/process_callback?service_provider_id=11";
string timestamp = oauth.GenerateTimeStamp();
string nonce = oauth.GenerateNonce();
string consumerKey = "GDdmIQH6jhtmLUypg82g";
string consumerSecret = "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98";
string url, url2, signature;
signature = oauth.GenerateSignature(rq, callback, consumerKey, consumerSecret, null, null, "POST", timestamp, null, nonce, out url, out url2);
Console.WriteLine("url: {0}", url);
Console.WriteLine("url2: {0}", url2);
Console.WriteLine("signature: {0}", signature);
Console.WriteLine("url encoded signature: {0}", OAuth.OAuthBase.UrlEncode(signature));
/*
Output
url: https://api.twitter.com/oauth/request_token
url2: oauth_callback=http%3A%2F%2Flocalhost%3A3005%2Fthe_dance%2Fprocess_callbac
k%3Fservice_provider_id%3D11&oauth_consumer_key=GDdmIQH6jhtmLUypg82g&oauth_nonce
=788cf02a1955471386843245c52c7908&oauth_signature_method=HMAC-SHA1&oauth_timesta
mp=1273110713&oauth_version=1.0
signature: 2Z+xl4H17WhpM7OOE7G22BwHkSI=
url encoded signature: 2Z%2Bxl4H17WhpM7OOE7G22BwHkSI%3D
*/
Once a signature is generated, it can be used to build the OAuth Authorization HTTP header and proceed through the OAuth process (this is your oauth_signature). Be sure to call OAuthBase.UrlEncode on the signature, since it must be URL escaped before being added to an HTTP header.
These modifications are licensed under the same license as OAuthBase.cs, the Apache License 2.0.
Download OAuthBase.cs for Twitter
Using OAuthBase.cs? Let me know @timpinkawa!