Lessons

Lesson Info

O'Auth Twitter Authentication and Q&A

So, like I said, you'll need to sign up with a Twitter. You'll need to make yourself a user on Twitter to be able to use this code. But not only that, you'll have to take the extra step of setting yourself up on Twitter as a application as 1/3 party application. And this is part of the oath, um, piece that will be dealing with in the with the authentication, um, in that first week. So once you sign up with as a user on Twitter, create yourself on account on Twitter, you can go to dev twitter dot com and create an application. And, um, I set up a screen cast t walk you through this part. Um, Beth, how we're gonna get that that URL to the users. I gave the URL to Sarah and she's gonna put it into the chat rooms. Okay, cool users, I said users, I I say users for anybody call anybody, user. Um, so ah, that'll that'll be helpful. Just go through that screen, cast however many times you need, and it will kind of show you what you need to do. Even though the process is pretty simple to set yo...

urself up with and as 1/3 party application developer on Twitter. Um, and that needs to be done before you running Need a code because otherwise, things pretty much won't start out right at all. So, uh, again, you'll need to set up. So I set up a Twitter account. If you don't want to use Twitter, it's no big deal. Just keep yourself private. That's one of the settings you one of the choices you have on Twitter. And, uh, and no one will be able to see your your witty 140 character tweets. But, um, you won't. You will at least have what you need. Teoh run through this class and what you've set up on Twitter. Um, let's talk a little bit about what it means when I say safe authentication. So again, Oh, off was kind of created so that users wouldn't have t would be able to give permission to some third party service or application or something to go basically act on their behalf at a server based application. Something like Twitter. Um, and in fact, some people from Twitter were actually some of the creators of of Oh also is kind of like they their They're some of the first of the game with this newly developing standard, and I think you'll see a lot of, um, a lot more of online services along the lines of Twitter. Like, for instance, Facebook is said that it's not gonna be supporting off to for signing in remotely. So if you do something somewhere that puts stuff on your Facebook account or somehow manipulates your Facebook account, you'll probably be signing and threw off in the future. Um, so now that to you have your Twitter account, you also need to set up your developer account like I mentioned. And here is a long URL Teoh the screen cast that shows you what to do. I think the yeah, the YouTube version was posted to chat just now, so there's a couple different links that you could go to and I will walk you through creating a an application on Twitter there. So let's talk about oh off a little bit off is basically a way to permit 1/3 party application to act on your behalf with Resource is on a website without knowing your credentials for that website so credentials. Meaning your your password so you don't have to give your password out. And still you can. You can give permission to some third party application to act on your behalf on a service like Twitter. So where does tweet, for instance, fit in that is in, Ah, Twitter or I'm sorry, an oath. Poor long parlance, a consumer. The third party application is called a consumer because it's consuming something from the server based application on you, the user or, in a watch parlance, the resource owner on their on your behalf. So the way it kind of works as the third party app acting as an intermediary Teoh Intermediary between you and the server as a user, Um, here's a kind of a simplified, uh ah diagram that shows. So the arrow going down is is over time these air kind of like conversations that are happening between these these different actors over time, the users on the left the consumers in the middle of the servers on the right. So the first thing the user says in this in this conversation, um, that ah awas lines out is to the consumer application or the third party application like, Oh, tweet. Hey, I'd like to load. This resource is from the server that happens to be protected. And at this point in the game, the user is unauthenticated. They haven't signed in. They haven't logged in at all. So the consumer application this third party application says that the server I need to get a request token from you. And I'm going to pass along these consumer tokens, which I go over in my screen casts how to get those consumer tokens. The consumer passes those with servers and services. Yes. Okay, I know who you are. Your third party application that's registered with our service. And I can see that you want Teoh make a request on behalf of a survey of a user. So here are some temporary request tokens that you can use to make sure that I can figure out what user and what app were work were I'll need to authenticate for So the server passes back these requests tokens, and the consumer keeps those around and then says to the user, Well, before you can do that, you need to sign in to this to this service, so it presents some way to sign in either a native control or the Web page like we'll be using. And then the user signs in and they're now authenticated on the server. The server will call back through some sort of mechanism to the consumer, and the consumer will say, Okay, now, good. The the user is authenticated. I want to exchange the request token that I've already got for just this temporary authentication piece for something called an access token, and that's something that's more durable. It sticks around for the user, and, ah, server says, Okay, good. That request open is good. The users authenticated. Here are the access tokens for that user and the the consumer construir those access tokens, and it basically uses that on every call to the server in in place of a where would, for something like basic off used the user name and password. So now the passwords not flying around the consumer never got the password from the user. It's ah, it doesn't store the past or anything like that, so users should feel safe that the consumer is now limited to doing whatever it said. Whatever the server said, give it permission to do, and it doesn't have the user's password. So now the whole search the process starts over again, except that the user is now in an authenticated state. So it says, Take consumer, I want to get this protected resource And the consumer says sure passes that requests along to the server and the server sends back the protected resource. Because the access tokens were sent along, it can verify that that user was authenticated and allowed their gave permission to the third party application. So it's kind of a complicated dance that goes on all kind of behind the scenes just so that the third party application doesn't ever store the password. But apparently this is the way things are going on the web. So this will be kind of a nice exercise for you to get some some experience with how the Auth works. And to do all this, you need to get those consumer tokens. So tweet is going to be looking for the consumer tokens to be stored locally. I'm not gonna I've already set up my Twitter user to have those have 1/3 party account on Twitter, so I have some consumer tokens but I don't want to share that with anybody else. We and you, as 1/3 party application developer, wouldn't want to share your tokens with anyone else either. So each of you to run their code will need to sign up as a third party application developer on Twitter Dan to get your own consumer tokens and then the way that we're gonna make it super simple for the user of our application to sign End is by acting as a browser type application. So when you sign up for Twitter Ah, Twitter third party application developer and create a new application. Um, one of the things that I go over my screen cast is that you need to set up your application type as a browser type, and then you need to put in a call back earl of tweet dot com authenticated. That's just ah, a special key that, um When when the user is authenticated, Twitter will redirect to that URL. And since we're acting as a browser type application and we'll be happy, will have ah, Web view inside of our Twitter application that we build will know that Twitter is redirecting to this particular Earl and will know that everything is now good. The user is authenticated. We can go into the next step of getting the access, tokens and all the user has to do, sign in and press OK or allow or something. I think that's the button name on the Twitter Web view. So, um, we could do all that. That that'll be the interesting android sdk part of that that first week where we intercept that redirection from from Twitter to tweet dot com, authenticated and kick off the next part of the the authentication process. So there's two important steps there. Make sure your browser application and you put in that tweet dot com authenticated callback earl. And then, after all that is set up, you will have a consumer key and a consumer secret key, which I've blurred out here on mine. But you will need those two pieces of information, and we'll put those into a properties file in our in our in our case application there in the first week, and then you will be a consumer app on Twitter and be ready to act on behalf of a user so pretty much the take away is that Iowa is around to eliminate the need for users to give passwords to third party applications, but to allow them toe act on their behalf. And, um, will be over will be going through that dance in a little more depth from an android point of view next week. So is there any questions about the off part or what we went over today or just this class? In general, we do have a few questions. Somebody asked, uh, so the token and the secrets are for the apse. Is there a revocation list? If an APP goes away, um, or the provider doesn't like it anymore. So yeah, you can. Once I didn't I didn't show this, um, in any in any of the slides, But I think I show it next week. Um, as a user, as just a normal Twitter user who wants to use 1/3 party application, you'll have the list of all the applications. If you go to your Twitter account, I think two settings or something like that, and it shows all of the applications that you've given permission. And with Twitter, you can choose when you given application permission. You can choose either read only or read and write, and you could see, like, what level of permission you give in to any third party applications. And then you could any time revoke that. And then then that applications tokens will no longer be valid for that user. Um, either the then the access token won't be valid for that user, and then they won't be ableto to that. Won't work for that user anymore until they go back. Teoh, sign in and authenticate. Begin and get new access tokens. Okay. And could we use off? Oh, off for other services like Facebook? Yeah. I'm not really sure of all the details, but but oh, off. Uh, Facebook is going to start using a lot to fairly soon. Okay. I think this is definitely catching on with all the social sites. Yeah, um, I can't think of any others right now to open. I d. Okay, so, yes, this what is not open? I d They're two separate things open, I but there, um, you may see some convergence so kind of open I d is a way to not have to. It's kind of the same thing in practice. like Aiken, sign in through some site with open I. D. And I don't have to create an account there. I don't have to manage a password and user name and password on that account at all, because it it goes through, um, whatever open I D provider I use at some point during authentication process. And then I basically say, Yes, I'm signing in through the open I D provider and then it redirects back to that other application. And then I don't actually have to have maintained a user name and password at all on that on the server application in that case, So it's it's slightly different, but it's kind of, you know, along the same lines we may see some convergence down the line. I'm not sure, um, there's a little bit of turn in this in this area, but and there's also a lot of, you know, development dance that has to go on with either one of those. So it would be nice to kind of see some sort of convergence and and, uh, overlapping what those Those types of protocols, um, actually provide the user. So is oh, off the only wayto authenticate on Twitter. Is that the one they recommend? Um, other other ways. Yeah, well, basic authentication still works, and it's not gonna go away. It's just gonna be deprecate ID on Twitter. So that's happening in June. I think I actually have it on this slide back here. Let me flip back to hear it. Says on June 30th 2010 the Twitter ap I team will be shutting off basic authentication onto the Twitter FBI. Okay, so I was wrong. It's not even gonna work. Um, so every every twitter application that you use where you sign in with the user name and password is gonna need to update to use oh, off instead. Otherwise they won't work. And, um, they've deprecate ID. I think they're gonna be deprecating it sometime around the beginning of June. So it's going to start toe, like, go out of favor, and they may send warnings, and they may I don't know. They're gonna be switching over fairly soon. Um, one application that I use on the IPhone and IPad is called Twitter. If IQ, they've already changed over toe off. And it was a pretty painless experience. Um, it just like sort of signed me in. Um, that enough to worry about it at all and worked pretty well behind the scenes form a seal. You'll see that thing that that things starting to happen over time. So one interesting thing, though, from our perspective as developers of this little application is that twit pic for J. The job a library that I use later on to post pictures up to Twitpic has not changed over toe off yet. And I'm not sure how that's gonna how that's gonna play out. There may even be a new version. And, um, I have to put up new code later in this class. But if if the developer of that library doesn't get around to updating toe off during the class, but does sometime afterwards, all somehow we'll put something up on the forums or something like that. But if he doesn't get around to it at all, then I don't know that that part of the application may end up not working, which would be kind of a bummer, but at least you know, from Android Android point of view, you'd still learn how to use all the sdk features. But that's Ah, so that's that's kind of the the thing that happens with platforms like this, you know, when they make choices that everybody's gotta switch over and there's a lot of work that has to be done over the place. So luckily, we can start off with the off from the start and not have that problem. So a couple people have asked to see the nice diagram you put together explaining how it works with the requests going back and forth. Okay, Yeah, hopefully that's easy enough to read. You can get a copy of the slides. Those go over it because it's definitely pretty in depth. Yeah, it is. And then while while you're showing that somebody had asked about XML graphics and I'm not sure you were talking about creating graphics with XML, it was more than you use that XML file to specify what the graphic components are that go on the screen, right? No, you can actually with XML, um, there's sort of a drawing a p I that you can describe what you want to see an exit in a specific XML dialect that android gives you. Like I can say I want ingredient um, that goes from top to bottom and stretched with this color and ends with this color. And it goes into a square. That's that's this big. And, uh, yeah, she could draw with XML. Is it similar to SPG here? Is it totally different? Um, I mean, it's similar and that it's like tagged, but no, it's no, it's not like a subset of SPG or anything like that. It's Androids completely own proprietary thing. Okay, cool. Um, Ruth and Sarah, do you have any more questions for Tony? Yes. Um, somebody was asking. They're very concerned about the difference between 1.6 and 2. and whether they're going to need 2.12 dot Exe ah, test clients and above at some point for doing the work in this class and then beyond, um um, Theo question is there wondering if they need Teoh upgrade their sdk to 2.1. They want anything. All 2.1 test clients for this class or if they can get by with lower test clients. I'm assuming that they have a 1.6, so I Okay, they they may have run into this problem. I put the application up on the android market for anybody to check out and kind of see what we're building. And it's only available for 2.1 because I did something with, um, the thumbnail eso it like when you take a picture with the camera, I create a thumbnail through an A P I. That wasn't available before. I believe 2.1, maybe two point. Oh, so, um, that was just like it is. So it's a it's a lot easier. It's a lot less code, so I just did it that way. But that s so it's not available on 1.6. So that's that's maybe why they're asking this question. I could go through and change that code. So that is 1.6 compatible, and I think that's the only piece that's sort of using later STK features, But it's just more code and kind of more more noise. I mean, it's not really that hard to, um, through Eclipse update your S T. K's and have multiple sdk is ready toe work with and and create a an emulator using 2.1, so I don't think that should be too much of a drawback for this class, um, to just set up set yourself up with the multiple Westie case. If you're worried about testing it on like devices than you don't have. Ah, a device that has 2.1. You won't be able to run this code unless you want to make the change. They're or somehow convinced me to make the change, I guess. Is there some sort of device I D for each phone so you can uniquely identify an android phone? This is sort of a little bit off topic still, but they were just kind of curious about this. I'm assuming they're gonna be doing something with that. That's a good question. I don't know if there is a A P I to get a unique device I d. I know on the IPhone there is, and that's used during push for push notifications. But I don't know about Android. It's a good question. Could look into the ETS, and maybe that's a good segue. Way to talk about the forums we do have forms. It's at o Reilly dot com. If you go to forums 00.0.0 Reilly dot com, there's a list of all our forums. And then I also posted the link in the chat room, which we can do again that directly to the Android forum. And it's a continuation of the form that we used for the first part of the course. So you'll already see. There's plenty of great content in their questions and answers from the first part of the course. Um, and if you have additional questions that didn't get answered today or you want to ask Tony directly, feel free to post on the forums, your questions. We'll get to them. Yeah, and we'll just just keep it going. Ask anything that you like about Android there. So that was our overview class for the for this course. And like I said earlier, we will. We will be posting this for free on o Reilly dot com. So if you missed anything, you could go back and look at it. If you need to get android installed, there's plenty of instructions. I posted a screen cast with a few bits of information about how to get the android sdk and installed in eclipse. All you have to do is download Eclipse, download the under android sdk and get that installed. We did cover that Import one and use the forums again if you get if you're struggling with that and we can answer your questions there on and then come back next week and we'll start getting you authenticated on Twitter. And I just wanted to say thank you again to our sponsor. Add mob and look forward to see you all next time. So thanks very much. A round of applause for Tony. Thanks, everyone. And I'll see you on the forums or next week.