Tutorial Details
- Topic: PHP
- Difficulty: Intermediate
- Estimated Completion Time: 30-45 minutes
Beginning August 16th, Twitter will no longer support the basic authentication protocol for its platform. That means the only way to authenticate users will be through a Twitter application. In this tutorial, I’ll show you how to use Twitter as your one-click authentication system, just as we did with Facebook.
Step 1: Setting Up The Application
We’ll first need to set up a new Twitter application.
- Register a new app at dev.twitter.com/apps/
- Fill in the fields for your site accordingly, just be sure to select Browser in Application Type, and set the Callback URL to something like
http://localhost.com/twitter_login.php(http://localhost/won’t be accepted because it doesn’t have a domain name). - Finally, select Read & Write. Fill in the captcha, click “Register Application,” and accept the Terms of Service.
Now, you’ll see the screen as shown below.
We will be using the Consumer key and Consumer secret values shortly.
Now that this is done, let’s download a library. As we will be coding with PHP, it seems the best one is twitteroauth; but if you’re using another language, you’ll find other good libraries here.
Find the twitteroauth directory inside the zip file, and extract it to your application’s folder.
Finally, since we’re using Twitter to authenticate users, we’ll need a database table to store those users. Here’s a quick example of what we will be doing.
CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`oauth_provider` varchar(10),
`oauth_uid` text,
`oauth_token` text,
`oauth_secret` text,
`username` text,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
Notice the oauth_token and oauth_secret fields. Twitter’s OAuth requires token and a token_secret values to authenticate the users, so that’s why we’re including those. With that, we are done with the setup!
Step 2: Registering Users
In this step we, will be doing three things:
- Requesting authorization from Twitter.
- Registering or, if the user is already registered, logging the user in.
- Setting the data into a session.
Requesting authorization
The OAuth workflow starts by generating a URL for the request; the user is redirected to that URL and is asked for authorization. After granting it, the application redirects back to our server with two tokens in the URL parameters, which are required for the authentication.
Let’s begin by including the library and starting a session handler.
require("twitteroauth/twitteroauth.php");
session_start();
After that, let’s create a new TwitterOAuth instance, giving it the consumer key and consumer secret that Twitter gave us when we created the application. Then, we’ll request the authentication tokens, saving them to the session, and redirect the user to Twitter for authorization.
// The TwitterOAuth instance
$twitteroauth = new TwitterOAuth('YOUR_CONSUMER_KEY', 'YOUR_CONSUMER_SECRET');
// Requesting authentication tokens, the parameter is the URL we will be redirected to
$request_token = $twitteroauth->getRequestToken('http://localhost.com/twitter_oauth.php');
// Saving them into the session
$_SESSION['oauth_token'] = $request_token['oauth_token'];
$_SESSION['oauth_token_secret'] = $request_token['oauth_token_secret'];
// If everything goes well..
if($twitteroauth->http_code==200){
// Let's generate the URL and redirect
$url = $twitteroauth->getAuthorizeURL($request_token['oauth_token']);
header('Location: '. $url);
} else {
// It's a bad idea to kill the script, but we've got to know when there's an error.
die('Something wrong happened.');
}
Save it as twitter_login.php, go to http://localhost.com/twitter_login.php or whatever your local host name is. If everything went correctly, you should be redirected to twitter.com, and you should see something like this.
Click allow, and you will be redirected to http://localhost.com/twitter_oauth.php — since we set this URL as a parameter in the getRequestToken statement. We haven’t created that file, so it should throw an error. Create that file, and then include the library and start a session, just like we did in the first file.
After that, we will need three things:
- Auth verifier in the URL query data
- Auth token from the session
- Auth secret from the session
So, the first thing to do in this script is validate this data and redirect if one of these variables is empty.
if(!empty($_GET['oauth_verifier']) && !empty($_SESSION['oauth_token']) && !empty($_SESSION['oauth_token_secret'])){
// We've got everything we need
} else {
// Something's missing, go back to square 1
header('Location: twitter_login.php');
}
Now, if everything is set, inside the conditional we will be creating the TwitterOAuth instance, but with the tokens we just got as third and fourth parameters; after that, we will be getting the access token, which is an array. That token is the one we will be saving to the database. Finally, we’ll do a quick test to see if everything works out.
// TwitterOAuth instance, with two new parameters we got in twitter_login.php
$twitteroauth = new TwitterOAuth('YOUR_CONSUMER_KEY', 'YOUR_CONSUMER_SECRET', $_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
// Let's request the access token
$access_token = $twitteroauth->getAccessToken($_GET['oauth_verifier']);
// Save it in a session var
$_SESSION['access_token'] = $access_token;
// Let's get the user's info
$user_info = $twitteroauth->get('account/verify_credentials');
// Print user's info
print_r($user_info);
If nothing goes wrong, the print_r should show the user’s data. You can get the user’s id with $user_info->id, his or her username with $user_info->screen_name; there’s a bunch of other info in there as well.
It is very important to realize that the oauth_verifier hasn’t been used before this. If you see the user’s info correctly and then reload the page, the script will throw an error since this variable has been used. Just go back to twitter_login.php and it will automatically generate another fresh token.
Registering users
Now that we have the user’s info we can go ahead and register them, but first we have to check if they exist in our database. Let’s begin by connecting to the database. Add these lines in the script’s beginning.
mysql_connect('localhost', 'YOUR_USERNAME', 'YOUR_PASSWORD');
mysql_select_db('YOUR_DATABASE');
Modify the database info as required. Now, just below where we fetch the user’s info, we’ll have to check for the user in our database. If he or she is not there, we’ll enter the info. If the user has been registered, we must update the tokens, because Twitter has generated new ones and the ones we have in the database are now unusable. Finally, we set the user’s info to the session vars and redirect to twitter_update.php.
if(isset($user_info->error)){
// Something's wrong, go back to square 1
header('Location: twitter_login.php');
} else {
// Let's find the user by its ID
$query = mysql_query("SELECT * FROM users WHERE oauth_provider = 'twitter' AND oauth_uid = ". $user_info->id);
$result = mysql_fetch_array($query);
// If not, let's add it to the database
if(empty($result)){
$query = mysql_query("INSERT INTO users (oauth_provider, oauth_uid, username, oauth_token, oauth_secret) VALUES ('twitter', {$user_info->id}, '{$user_info->screen_name}', '{$access_token['oauth_token']}', '{$access_token['oauth_token_secret']}')");
$query = mysql_query("SELECT * FROM users WHERE id = " . mysql_insert_id());
$result = mysql_fetch_array($query);
} else {
// Update the tokens
$query = mysql_query("UPDATE users SET oauth_token = '{$access_token['oauth_token']}', oauth_secret = '{$access_token['oauth_token_secret']}' WHERE oauth_provider = 'twitter' AND oauth_uid = {$user_info->id}");
}
$_SESSION['id'] = $result['id'];
$_SESSION['username'] = $result['username'];
$_SESSION['oauth_uid'] = $result['oauth_uid'];
$_SESSION['oauth_provider'] = $result['oauth_provider'];
$_SESSION['oauth_token'] = $result['oauth_token'];
$_SESSION['oauth_secret'] = $result['oauth_secret'];
header('Location: twitter_update.php');
}
Note that these queries are not validated; if you leave them as they are, you are leaving your database vulnerable. Finally, below the database connection, we should set a check to verify that the user is logged in.
if(!empty($_SESSION['username'])){
// User is logged in, redirect
header('Location: twitter_update.php');
}
You can now greet the user by his or her username.
<h2>Hello <?=(!empty($_SESSION['username']) ? '@' . $_SESSION['username'] : 'Guest'); ?></h2>
Let’s get to the fun side: updating, following and reading.
Step 3: Reading Statuses
There are over twenty categories of resources available: timeline, tweets, users, trends, lists, direct messages, etc. Each one has a bunch of methods, you can check them all in the official documentation. We’ll get to the basics, as most of these features are accessed in a similar way.
Just like the other two scripts, we’ll need to create the TwitterOAuth instance, including the variables in the session.
if(!empty($_SESSION['username'])){
$twitteroauth = new TwitterOAuth('YOUR_CONSUMER_KEY', 'YOUR_CONSUMER_SECRET', $_SESSION['oauth_token'], $_SESSION['oauth_secret']);
}
We’ll begin with the user’s timeline. The reference tells us that the path is statuses/home_timeline; ignore the version and format, the library will take care of it.
$home_timeline = $twitteroauth->get('statuses/home_timeline');
print_r($home_timeline);
That will get you the timeline. You can fetch each item with a foreach loop. However, the reference specifies some optional parameters like count, which limits how many tweets will be fetched. In fact, get‘s second parameter is an array of every option needed, so if you want to fetch the latest forty tweets, here’s the code:
$home_timeline = $twitteroauth->get('statuses/home_timeline', array('count' => 40));
Also, you can see somebody else’s timeline, as long as it’s not protected. statuses/user_timeline requires either a user’s id or screen name. If you want to check @nettuts timeline, you’ll have to use the following snippet:
$nettuts_timeline = $twitteroauth->get('statuses/user_timeline', array('screen_name' => 'nettuts'));
As you can see, after authenticating, reading timelines is a breeze.
Step 4: Friendships
With friendships, you can check if a user follows another one, as well as follow or unfollow other users. This snippet will check if you are following me and and will create the follow if not.
But first, check the friendships/exists and friendships/create reference. Notice something? friendships/create method is POST. Fortunately, the library includes a post() function, which works just as the get() function; the main difference is that get() is for reading and post() is for creating, deleting or updating.
Anyways, friendships/exists requires two parameters: user_a and user_b, and friendships/create requires just one, either screen_name or user_id.
$follows_faelazo = $twitteroauth->get('friendships/exists', array('user_a' => $_SESSION['username'], 'user_b' => 'faelazo'));
if(!$follows_faelazo){
echo 'You are NOT following @faelazo!';
$twitteroauth->post('friendships/create', array('screen_name' => 'faelazo'));
}
You can unfollow an user with basically the same code that creates a follow, just replace create with destroy:
$follows_faelazo = $twitteroauth->get('friendships/exists', array('user_a' => $_SESSION['username'], 'user_b' => 'faelazo'));
if($follows_faelazo){
echo 'You are following @faelazo! Proceed to unfollow...';
$twitteroauth->post('friendships/destroy', array('screen_name' => 'faelazo'));
}
Step 5: Posting Updates
This is probably the most interesting section, since it’s Twitter’s core: posting an update, as you might have imagined, is pretty straightforward. The path is statuses/update, the method is POST (since we are not reading), and the one required argument is status.
$twitteroauth->post('statuses/update', array('status' => 'Hello Nettuts+'));
Now go to your Twitter profile page and you’ll see your tweet.
Let’s retweet @Nettuts’ update announcing the HTML 5 Competition; the status id is 19706871538 and the reference tells us that the path is statuses/retweet/:id, where the :id part is the status id we will be retweeting. The method is POST and it doesn’t require additional parameters.
$twitteroauth->post('statuses/retweet/19706871538');
To delete a tweet, you’ll have to pass the status id you’ll be destroying in the first parameter, just like retweeting. If the tweet’s id is 123456789, the code to destroy will be.
$twitteroauth->post('statuses/destroy/123456789');
Of course, this code can only delete tweets made by the authenticated user.
Conclusions
Twitter’s API is quite easy to understand; it’s far more documented than even Facebook’s (even though Facebook offers an in-house library). Unfortunately, the authentication is not as smooth as we might hope, depending on session data.
One thing worth noticing is that, once a Twitter user has been authorized (assuming the app has read and write permissions), you have plenty of control over this account. If you change something on behalf of the user without his permission, you’ll create trouble. Use it with caution!
The API changes coming to Twitter will deny basic authentication; Twitter is focusing on ceasing the countless scams that trick users into giving up their login credentials. OAuth is the solution; and, if you’ve worked through the Facebook Connect tutorial, you can now provide your website or app users with a quick login without credentials, using your choice of the two most used social networks. How cool is that?
Enjoyed this Post?
Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!
By Rafael Soto
Join our newsletter!
Create a Tutorial, Get Paid!
Have something to teach the world? Want to earn money doing it? Tutorials, screencasts, and articles published here on Nettuts+ are largely contributed by readers just like you! We'll pay you great money for good content. Find Out More
$twitteroauth = new TwitterOAuth(YOUR_CONSUMER_KEY, YOUR_CONSUMER_SECRET, ‘User_Token Access’, ‘user_token secret’);
$twitteroauth->post(‘statuses/update’, array(‘status’ => ‘Hello Nettuts+’));
when i try to use this code i am getting error
“Could not authenticate you” and my Status was also not updated:)
I am not receiving an error but, the status is not being posted. On the verge of pullin’ some hair out over this. Still this is a really good article I would think.
yeah i got the same thing, it won’t post to my timeline.. and is the database part really necessary? i wonder if that’s the problem since i didn’t include it in my code..
Make sure that under settings in the dev center in twitter that you give your application read and write access. It starts in Read Only mode and will not allow you to post anything.
get to know how use google to authenticate users:
http://lookmywebpage.com/api/google/authenticate-users-using-google-open-id/
Hi Rafael,
Great tutorial, thanks for that! One question I have (and maybe it’s because I haven’t read through it enough times yet) is that I want to be able to have users *optionally* logged in to Twitter – i.e. visitors will see my stream and IF they log in to their Twitter account, they can also write to it (and, in the future perform other functions).
I don’t quite get how this optional login can be achieved with the current tutorial though – as I see it, it immediately wants to authenticate a user.
Any hints?
Thanks.
Hey,
Thank you very much for this damn good and understanding tut!
I tried it out and it works well, but I have a small question:
I want that user can add their twitter-account on my website, and if they do this (pass the app confirmation successful), I would like to be able to update their timeline automatically by a script.
So, do the users have to be logged in that I can update the timeline, or only at the confirmation step?
Thank’s for help!
Best regards,
Philipp
PS:
It’s for an sms-gateway. The user may forward their sms to their twitter accounts.
I said it that u dont think I want to spamm their timelines ;)
great article but i have a question, when you say “Note that these queries are not validated; if you leave them as they are, you are leaving your database vulnerable” what do you mean exactly, what steps should be taken to validate the queries? i feel a little unsure if it is safe to use this code or not
Hey, thanks for the tut. I have a question that is probably simple to someone up to date with these practices, but when you get to the reading status (step 3), you don’t give instruction as to what to name the scripts/pages. Also, you mention an update page, but no content for it.
I am still learning this type of programming, so please bear with me.
Thanks!
Am having trouble accessing the Session Variable after the callback url is loaded. its empty.
any idea why this is happening ?
When i var dump Session in the login page. it is set. but when twitter_oauth.php is loaded. the session seems to be empty
You probably don’t have a session_start(); in your callback page.
Great Article….:)
Thank You So Much.
in requesting url: pls explain this line of code
$request_token = $twitteroauth->getRequestToken(‘http://localhost.com/twitter_oauth.php’);
what is twitter_oauth? I haven’t made such a file … then what is it actually? got confused…
Location: twitter_update.php what is this ?
I got my answer to my previous question.
Location: twitter_update.php what is this ?
I got my answer to my previous question.
whats up with the twitter_update.php … which code should I insert into … pls reply soon..
Hi there,
Firstly, Thanks for the awesome tutorial.
I found some error when reload my page 3 or more times.
I am login with twitter user name & password, then showing my friends list. if i reload the friends list page more then 3 or more times it is unable to access any information of twitter. You can see it here(enaak.com). Code somthing like this:
=> $registered_users store twitter user name from database..
*************************************************************************************
foreach($registered_users as $row)
{
$friendship = $this->tweet->call(‘get’, ‘friendships/show’, array(‘source_screen_name’ => $user_record->username, ‘target_screen_name’ => $row->username));
if($friendship->relationship->source->following == true)
{
continue;
}
print_r($friendship->relationship->target);
}
?>
*************************************************************************************
Please help me.
excellent post
Really great article and appreciable effort for writing this. keep up this good work. I think you should post a reusable php library for developers to reuse using various oauths like facebook, twitter, google etc
Thankyou very much
Thanks for the tut!
I have adapted Twitter’s OAuth with Facebook’s tutorial here at Nettuts too and it took just 5 minutes since I could reuse most of the code.
Now just there’s just Google OAuth left and that’s a 3-way autologin that should suit 99% of people, isn’t it?
how we get $user_info->id
Really a very Good article..Really very informative
An awesome tutorial indeed.. however I have two questions:
1. In step 3 where you make oauth object for the third time in file twitter_update.php, I keep having error making the object and I just can’t figure it out why, the session variables and other parameters are all coming as on first two pages twitter_login.php and twitter_oauth.php on which I am successfully able to create the object and use it.
2. I want to ask that since we have validated users, is there a way we can update status of more than one users using that information? What will be the line for that as for currently signed in user it is:
$twitteroauth->post(‘statuses/update’, array(‘status’ => ‘Hello Nettuts+’));
Will I have to add the authentication ids or what? Any help will be appreciated. Thank you :)
If anyone is looking for what to put into twitter_update.php try this:
Hello
Lets try this again…
<?php
require(“twitteroauth/twitteroauth.php”);
session_start();
?>
<h2>Hello <?=(!empty($_SESSION['username']) ? ‘@’ . $_SESSION['username'] : ‘Guest’); ?></h2>
it is great. I want to try it. thank you very much.
Thanks for sharing the code it’s really helpful and it’s exactly what I need.
Hello!
Great tutorial but I have a problem, in the final part of step two I have the following:
# // TwitterOAuth instance, with two new parameters we got in twitter_login.php
echo “GET and Session ok”;
echo *the 2 session parameters that I give to the line below*;
# $twitteroauth = new TwitterOAuth(‘YOUR_CONSUMER_KEY’, ‘YOUR_CONSUMER_SECRET’, $_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
echo “object ok”;
But all I see when I get to that point is:
GET and Session ok
the 2 keys, both seem fine and valid
So why would this crash while making an object? And yes I did replace the first two with my own consumer key and secret
Any help would be great, thanks!
Hey nvm my previous question! My callback url was a different controller so I required to include the library once again
Hi,
Thanks for this tutorial. I have been bulding FB apps but now want to get start with php and you just gave me that kickstart
Hi, can this (and facebook connect) be performed on wordpress? If so, how exactly?
I receive an error
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /www/htdocs/wwwhuize/http/twit2/index.php on line 18
It should be this line
$query = mysql_query(“SELECT * FROM StatusNet_Users WHERE oauth_provider = ‘twitter’ AND oauth_uid = ” . $user_info->id);
$result = mysql_fetch_array($query);
any idea
@Jeroen:
$query = mysql_query(“SELECT * FROM StatusNet_Users WHERE oauth_provider = ‘twitter’ AND oauth_uid = $user_info->id);
I simply get
Woah there!
This page requires some information that was not provided. Please return to the site that sent you to this page and try again … it was probably an honest mistake.
after 3 hours of working with it and finding solution over the net, it was no avail.
I am frustrated :(
This was a nice attempt although it need a lot of work before it can call itself a tutorial.
I suggest downloading the API directly from https://github.com/abraham/twitteroauth and using the DOCUMENATION file for a better understanding.
Hi I am getting the following error and I don’t have a clue as to what is wrong :
Notice: Undefined index: oauth_token in C:\wamp\www\selvester\twitteroauth\twitteroauth.php on line 82
Notice: Undefined index: oauth_token_secret in C:\wamp\www\selvester\twitteroauth\twitteroauth.php on line 82
Notice: Undefined index: oauth_token in C:\wamp\www\selvester\twitter_login.php on line 12
Notice: Undefined index: oauth_token_secret in C:\wamp\www\selvester\twitter_login.php on line 13
Pleas assist
Yo. This is a fuckin amazing tutorial!!!
A thanks a lot from Chicago!!!
gr8 post
thanks a lot.
How can we do the same in javascript for mobile applications, jquery-mobile-HTML5 pages?
friend in my case it is telling that call to undefined function curl_init on line 199
hey thanks its working :-)
Great article however I couldn’t use it without errors (from the Github library), and after looking elsewhere I got it working by changing two things in this article:
1) Requesting Authorisation
Line 4 (Second snippet) has this:
$request_token = $twitteroauth->getRequestToken(‘http://localhost.com/twitter_oauth.php’);
The callback url is passed in however I removed this (no parameters in class function) and got a result, also here:
2) In the IF condition against the HTTP code there is:
$url = $twitteroauth->getAuthorizeURL($request_token['oauth_token']);
I just used $request_token alone and got a result, and all is good. Without these changes I got an error from the library that two array indexes were not found. Reading comments I know someone else had this error, so for future reference do note my comment and what changes I made.
Is there an updated version of this tutorial?
thanks, very helpful, this is what I was looking for.
Is there a new version of this because you can’t finish it?
what i get is :
You can use your Twitter account to sign in to other sites and services.
By signing in here, you can use smbtest without sharing your Twitter password.
Authorize smbtest to use your account?
This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you.
This application will not be able to:
Access your direct messages.
See your Twitter password.
It not the same the tutorial image (deny allow)
Please any body help me what is my mistake ?
Thanks for the tut.
Only one I found to actually work and easy to follow using the abraham / twitteroauth API.
regards,
Jody