What the documentation wants is that credentials (token, bearer token, secret key...) should be kept only with you, safely. Once this information is obtained you will be able to make requests on behalf of your Twitter app.
Anyone who gets their private key (Secret API) can authenticate users by impersonating their application. As well as that anyone who has the tokens/bearer token can also use them as you wish on behalf of your application. For example, they might post tweets as if your app was posted, without you actually doing it.
For this reason, this information may not be shared or distributed, thus remaining with you only.
I’m wanting the user instead of clicking the Sign in with Twitter button using the Uth, it fill out a form with your Twitter data, username and password.
The official public Twitter API only allows you to use oAuth. It is built precisely so that users do not inform their credentials to third parties.
There is no official way to do what you want. What there is is gambiarras. That is to use the private API, the one that twitter uses. I’ve already told you how you can do this. You can reverse engineer in the twitter mobile app, as well as monitor requests made by the app.
On the Twitter website you can simply monitor traffic (browsers already have this feature) and then you will know the endpoints used.
You can try looking for someone who has already done this work, including people who have already made such information publicly available or even libraries in some language that uses the private API.
Once you have the passwords you can get the session cookie, this is almost a "Token", but from the private API. It is usually stored in cookies (or multiple cookies), in case the mobile app API may be encrypted, requiring some reverse engineering to get the keys.
NOTE: I do not want to steal information, because it is not possible...
Now, if you ask for other people’s passwords... the phrase "I don’t want to steal information because it’s not possible..." is a mistake. Not only do you have the ability to "steal" your credentials, but other people can "steal your theft".
Once you ask for and receive Twitter passwords you will have the passwords, you have access to such credentials. Even if you use HTTPS, the information is decrypted on your side, at best, and will be stored in "some memory", so you have access.
With everything, if Token are passwords, I can recover the screen_name and use a crypt, I do not know if Twitter uses sha1, so I can recover the password too. If anyone knows, report here.
I honestly don’t understand what you mean. The Token
is random, generated from your private and public key to the user who authorized your application. They are like a password from the point of view of their secrecy, since both their password and both a Token should not be shared, and just as both grant access to make interactions on their behalf.
Unless mistaken Oauth2 does not use any encryption on Token
in itself, only in your traffic, this is done to make the answers faster and even so does not require you to encrypt any Token.
If you want to keep the Token extremely safe the most you can do, in my view, is to use an asymmetric encryption and use some HSM to store the keys.
Excellent @Inkeliz, I thought the token was the user password, and yes it was contradictory I say I do not want to steal information, but really do not want, I will explain what I want to do... I want to make a site with an exchange of followers, similar to this... http://twitterlike.com.br, if you can answer me... (with the "Log in with Twitter" button) using oAuth without the user login with your credentials is possible? I have intermediary in PHP and Javascript, if you say it is possible I will try it, otherwise I throw everything in the recycle bin... Thank you for the well-prepared reply...
– user76271
If until later there is no better answer than yours I mark it as solved ta ok?.... Now I think I’ll use the "Enter with Twitter" button, and save all tokens on a table and make a roulette for users to follow themselves...
– user76271
Great answer, but the best part for me was this: Not only do you have the ability to "steal" your credentials, but other people can "steal your theft".
– Randrade
Doing this is simple, it is possible, so much they’ve already done. Using the public API (the "Sign in with Twitter" one) is possible, but it’s much easier for Twitter to block the app, so you’ll lose all users to the "followers exchange" by requiring everyone to sign in to a new app. Already with the private API the most they can do is ban your IP, so you can use multiple proxies.
– Inkeliz
The issue of "theft" comes precisely from "Don’t worry we don’t have access to your password" as long as you prove me otherwise, they have access to the password, the most they can do is not store it in a persistent way. But they will store the session, which is practically the same.
– Inkeliz
@Inkeliz, I didn’t understand the Private API part, could I edit the topic explaining better? I searched Google and found nothing..., Doing this is simple, it’s possible, so much they’ve already done. Using the public API I think just renew the Keys of the app... But back... could explain?
– user76271
The Private and Public API refers to the API itself, not the keys. https://www.upwork.com/hiring/development/public-apis-vs-private-apis-whats-the-difference/
– Inkeliz
Got it, read the article... private API conclusion, I’ll have to build it myself? I guess I got it...
– user76271
No, but Twitter built it. Not all features are accessible through the public API ("Log in with Twitter"). See for example the link:
https://api.twitter.com/1.1/jot
it is not documented in the Public API, it is used exclusively by Twitter itself. Another example is thehttps://twitter.com/scribe
, enter and will give a blank page. It also has thehttps://twitter.com/account/authenticate_web_view
, these are some "links" which are used exclusively in the "Private API", they can be obtained by monitoring traffic. Is this API you "should" use, remember the Tos.– Inkeliz
You? Boy, it’s getting more complicated, but with your tips, I’m going to make an effort... I’m still full of doubts, but I don’t want to "take it easy on you". Thank you, qqr thing I open another question.
– user76271
To monitor is
f12
>network
right?– user76271
I think I was able to authenticate... but the cookie itself is random and not the same as twitter
– user76271