If you haven’t heard, Twitter updated their API to v2 with a steady stream of new endpoints for existing and recent services. One of the hottest additions is OAuth 2.0 authorization support. My Twitter API library, LINQ to Twitter, supports Twitter API v2, adding new endpoints as they’re announced. This post explains how LINQ to Twitter supports the Twitter API’s latest endpoints for OAuth 2.0. I’ll explain what OAuth 2.0 is and its benefits. Then I’ll dive straight into how to use OAuth 2.0 in an ASP.NET MVC application. Finally, I’ll follow-up with important configuration information for making the moving parts work together.
Understanding OAuth 2.0
Let’s set the stage for why OAuth is important by looking at all the parties involved: Twitter, Your app, and a user. As you know, Twitter is a social media app that lets people tweet, reply, and do an increasingly more amount of tasks. The user is the person who engages with both Twitter and your app to (hopefully) enhance their experience on Twitter. Your app needs to act on the user’s behalf by using the Twitter API.
The thing is, how does the user know that your app isn’t going to do anything on their account that they don’t want you to do? That’s a problem you have to solve. However, Twitter and other companies need a mechanism in place that protects users by: Not giving out a password, not having the change a password in every app, and being able to disable any app at any time.
OAuth does this by letting the user authorize your app to act on their behalf. It solves the password problem by not giving you the user’s password. It also solves the disablement problem by the user telling Twitter that they want to allow your app to work with their account. At the time they don’t want to use your app anymore, they go to Twitter settings and disable your app. This protects the user and it’s incumbent upon your app to keep the user’s trust.
OAuth 2.0 is easier to implement and more secure than it’s predecessor, OAuth 1.0a. Although all of the Twitter endpoints haven’t migrated to OAuth 2.0 yet, you should prefer to use OAuth 2.0 when it’s available.
For simplicity, in the rest of the document, I’ll just use the term OAuth to refer to OAuth 2.0. Next, lets discuss the authorization process.