The project I am working on requires that users allow my Twitter service to access their account information. The only reason I require this is because this service makes several API requests over the course of time, and instead of having users use up all of my allotted API service requests, I use their’s instead, It’s a little more complicated than that, and a full explanation falls outside the scope of this post. All you need to keep in mind for this post is that I need to have access to their account so API calls are counted on their behalf and not my server’s.

Currently, Zend Framework 1.9 only supports basic authentication for the Twitter API, which works well, but leaves, or should leave, a bad taste in the end-user’s and developer’s mouth. I say this because a developer who wants access to a user’s account at a later time (e.g. if you are running scheduled API calls) will have to store the user’s credentials on the server. This means A) the user may be iffy about using your service since they may not trust your site and/or want their password stored on your server, and B) this creates more overhead for you because you now have to keep track of user information, keep it secure, etc. The way we get rid of this bad taste is to implement a system such as OAuth.

OAuth is an authentication protocol that allows secure API authorization for applications. What this means is that a user can grant you, the 3rd party developer, access to their information without providing you with their username and password. User login takes place at the source, in this case at Twitter.com. For more information about OAuth, please see the Twitter API Wiki / OAuth FAQ

If you are currently using the Twitter API, it is probably better to change over to using OAuth sooner than later since support for basic authentication will be going away in the future.

In order to get Zend_Service_Twitter working with OAuth, you will need to obtain OAuth via subversion since it is not in the currently released version of Zend Framework. It can be obtained here.

The code you are about the see takes place in my IndexController, meaning I am using Zend’s MVC setup. I have also put configuration information inline so you can see exactly what is passed into each object.

<?php
/**
 * Default Index Controller using Zend's MVC implementation.
 *
 * @author Raymond J. Kolbe <rkolbe@white-box.us>
 */
class IndexController extends Zend_Controller_Action
{
    /**
     * Login Action
     *
     * Performs user login through Twitter using OAuth.  If user's have not
     * granted our application access to their account, they will be sent to
     * Twitter to do so.  Once done, they will return to this page again so
     * that we can handle them (e.g. run our application for them).
     *
     * @param void
     * @return void
     */
    public function loginAction()
    {
        // Check to see if the user already has an OAuth access token
        if ($this->_session->access_token) {
            // You would redirect the user to the main part of your
            // application that they needed to be authenticated for.
        }
        // Configuration for OAuth. @see Zend_Oauth_Consumer
        $config = array(
            'signatureMethod' => 'HMAC-SHA1',
            'callbackUrl' => 'http://localhost/login',
            'requestTokenUrl' => 'http://twitter.com/oauth/request_token',
            'authorizeUrl' => 'http://twitter.com/oauth/authorize',
            'accessTokenUrl' => 'http://twitter.com/oauth/access_token',
            'consumerKey' => 'jDrJud90Jhg66whddj876',
            'consumerSecret' => 'UdjneHdyGsj90Bsg2UdjneHdyGsj90Bsg2'
        );
        $consumer = new Zend_Oauth_Consumer($config);
        // If we do not have a request token, generate one now
        if (!$this->_session->request_token) {
            $request_token = $consumer->getRequestToken();
            // Save the token for when the user returns to this page.
            // This will be used to get the user's access token.
            $this->_session->request_token = serialize($request_token);
            // Send the user off to Twitter to grant our application access
            $consumer->redirect();
            return;
        }
        // If we made it here, the user has been to Twitter to grant our
        // application access and now we must get an access token that
        // will allow us to make API calls on behalf of the user.
        $access_token = $consumer->getAccessToken($this->_request->getQuery(), unserialize($this->_session->request_token));
        // We no longer need the request token so remove it
        unset($this->_session->request_token);
        // Save to session so that reloading of this page will send the user
        // to your application main page or wherever you want them to go.
        $this->_session->access_token = serialize($access_token);
        // This line is very important. Since Zend_Service_Twitter does
        // not have support for OAuth (yet), this is how we get it to work.
        // All we are doing is making Zend_Service_Twitter use OAuth's
        // HTTP Client instance, which will automatically append the proper
        // OAuth query info to any Twitter service call we make from here
        // on out.
        Zend_Service_Twitter::setHttpClient($access_token->getHttpClient($config));
        // Username and password are passed in as null because we will not be
        // authenticating using a user/pass combo (which uses basic
        // authentication).
        $twitter = new Zend_Service_Twitter(null, null);
        // This is not required but shows you as an example that OAuth did
        // in fact work.
        $response = $twitter->account->verifyCredentials();
        // Your code goes here.  This would be the point you want to save
        // the access token to the database for later use and/or save a cookie
        // on the user's system.
    }
}

A while back (3 or 4 months) I emailed the guys over at Dropbox asking them about a public API. The response I got was basically that in the near future they will have something. I want it now!! Guess I will have to keep tabs on that Google Group (link above).