Setting up an authentication page

The TwitterOAuthClient class handles the necessary logic for authenticating with the Twitter API.

In order to get started, you need to create a Twitter app (or use an existing app if you already have one). Your Twitter app will have a consumer key and consumer secret, which together identifies your app.

With the Twitter app in place, you can initialize a new instance of the TwitterOAuthClient class like this:

// Initialize the OAuth client
TwitterOAuthClient oauth = new TwitterOAuthClient {
    ConsumerKey = "Your consumer key",
    ConsumerSecret = "Your consumer secret",
    Callback = "http://social.abjerner/twitter/oauth/"
};

The Callback property represents the URL of your authentication page. When the authentication is completed through Twitter's authentication dialog, the user is redirected back to this URL.

Obtaining a request token

Twitter uses OAuth 1.0a for authentication, where the first part is to obtain a request token. This is a server to server call which helps identify your app and the user to Twitter.

// Make the request to the Twitter API to get a request token
SocialOAuthRequestTokenResponse response = oauth.GetRequestToken();

// Get the request token from the response body
SocialOAuthRequestToken requestToken = oauth.GetRequestToken().Body;

The response holds both a request token and a request token secret, which is then used for hashing and signing the next request of the authentication.

After we have received the request token and request token secret, we need to redirect the user to the Twitter authentication dialog. But since the request token and request token secret helps to identify the user, we must first store this in a session (or similar) on the server, so we can retrieve it once the user is redirected back to the URL as defined by the Callback property.

// Save the token information to the session so we can grab it later
Session[requestToken.Token] = requestToken;

// Redirect the user to the authentication page at Twitter.com
Response.Redirect(requestToken.AuthorizeUrl);

Obtaining an access token

Once the user grants your app access to the user's Twitter account, the user is redirected back to the URL as defined by the Callback property, but with the oauth_token and oauth_verifier parameters in the query string.

oauth_token is the request token that we received earlier. With this, we can retrieve the request token secret from the session. We should use these to update the Token and TokenSecret properties of the TwitterOAuthClient instance.

// Get OAuth parameters from the query string
string oAuthToken = Request.QueryString["oauth_token"];
string oAuthVerifier = Request.QueryString["oauth_verifier"];

// Grab the request token from the session
SocialOAuthRequestToken requestToken = Session[oAuthToken] as SocialOAuthRequestToken;

// Update the OAuth client with information from the request token
oauth.Token = requestToken.Token;
oauth.TokenSecret = requestToken.TokenSecret;

// Make the request to the Twitter API to get the access token
SocialOAuthAccessTokenResponse response = oauth.GetAccessToken(oAuthVerifier);

// Get the access token from the response body
SocialOAuthAccessToken accessToken = response.Body;

// Update the OAuth client with the access token (we no longer need the request token)
oauth.Token = accessToken.Token;
oauth.TokenSecret = accessToken.TokenSecret;

On the last two lines, the OAuth client is updated with the access token and access token secret of the user, which means you're now able to make calls to the Twitter API on behalf of the user.

If you at a later time need to make further requests to the API on behalf of this user, you can store the access token and access token - eg. in the user session on the server, or somewhere in a database. Just keep in mind that the access token and access token secret is sensitive data, and you therefore only be saved in a secure manner.

Authentication denied

When the user is redirected to the Twitter authentication page, the user may choose to cancel the the authentication, refusing to grant your app access to the user's account. In this case, the user is redirected back to the Callback URL, but this time with the denied parameter in the query string. This parameter will hold the request token obtained in the first step. You can use the request token to clear the user's session on your server.

Complete example

In the example below, I've tried to demonstrate how an authentication page can be implemented (involving the steps explained above).

@using Skybrud.Social.OAuth.Objects
@using Skybrud.Social.OAuth.Responses
@using Skybrud.Social.Twitter.OAuth

@{

    // Initialize the OAuth client
    TwitterOAuthClient oauth = new TwitterOAuthClient {
        ConsumerKey = "Insert your consumer key here",
        ConsumerSecret = "Insert your consumer secret here",
        Callback = "http://social.abjerner/twitter/oauth/"
    };

    if (Request.QueryString["do"] == "login") {

        // Make the request to the Twitter API to get a request token
        SocialOAuthRequestTokenResponse response = oauth.GetRequestToken();

        // Get the request token from the response body
        SocialOAuthRequestToken requestToken = response.Body;

        // Save the token information to the session so we can grab it later
        Session[requestToken.Token] = requestToken;

        // Redirect the user to the authentication page at Twitter.com
        Response.Redirect(requestToken.AuthorizeUrl);

    } else if (Request.QueryString["oauth_token"] != null) {

        // Get OAuth parameters from the query string
        string oAuthToken = Request.QueryString["oauth_token"];
        string oAuthVerifier = Request.QueryString["oauth_verifier"];

        // Grab the request token from the session
        SocialOAuthRequestToken requestToken = Session[oAuthToken] as SocialOAuthRequestToken;

        if (requestToken == null) {

            <p>An error occured. Timeout?</p>

        } else {

            // Some information for development purposes
            <p>Request Token: @requestToken.Token</p>
            <p>Request Token Secret: @requestToken.TokenSecret</p>

            // Update the OAuth client with information from the request token
            oauth.Token = requestToken.Token;
            oauth.TokenSecret = requestToken.TokenSecret;

            try {

                // Make the request to the Twitter API to get the access token
                SocialOAuthAccessTokenResponse response = oauth.GetAccessToken(oAuthVerifier);

                // Get the access token from the response body
                SocialOAuthAccessToken accessToken = response.Body;

                <p>Access Token: @accessToken.Token</p>
                <p>Access Token Secret: @accessToken.TokenSecret</p>

                // Update the OAuth client with information from the access token
                oauth.Token = accessToken.Token;
                oauth.TokenSecret = accessToken.TokenSecret;

            } catch (Exception ex) {

                <pre style="color: red;">@ex.GetType().FullName: @(ex.Message + "\r\n\r\n" + ex.StackTrace)</pre>

            }


        }

    } else if (Request.QueryString["denied"] != null) {

        // Get OAuth parameters from the query string
        string oAuthToken = Request.QueryString["denied"];

        // Remove the request token from the session
        Session.Remove(oAuthToken);

        // Write some output for the user
        <p>It seems that you cancelled the login!</p>
        <p>
            <a class="btn btn-primary" href="/twitter/oauth/?do=login">Try again?</a>
        </p>

    } else {

        <p>
            <a class="btn btn-primary" href="/twitter/oauth/?do=login">Login with Twitter</a>
        </p>

    }

}