UPDATE: You can watch me on GitHub, view documentation or fork the project.

Twitter recently added a feature to their API that let's you allow users to sign into your site with their twitter username and password. I recently wrote a blog post on how to use Twitter's OAuth API. This feature is a natural progression in allowing Twitter users to securely sign into your site.

Experience how it works

I've set up a basic example on this site. Try it out here. The files used in this example are available for download and should work on your server if you follow the steps.

Getting up to date

If you experience any problems then make sure you are using the latest version of the code. It's available on Github.

Setting up your application on Twitter

The first step is to set up your application on Twitter. You can add an application on Twitters OAuth clients page. Click on register a new application and fill out all the fields. The two important fields are:
* Callback URL: The location of confirm.php on your server (http://yourdomain.com/confirm.php)
* User Twitter for login: Check this!
Once you've created your application you will need to copy and paste your consumer key and secret into secret.php.

Seeing it all in action

That's it. Browse to start.php on your server and follow the flow. You'll be asked to log in to twitter if you're not already. Once you log in, Twitter will confirm that you want to allow your application access to your account. Clicking confirm will take you back to your callback url along with a request token. You'll exchange your request token for an access token which you can use to authenticate as yourself (or whoever is going through flow). For the sake of this exercise we are saving the access token to a cookie. We use the access token to retrieve your profile and place a link to another page. This other page will use the access token from your cookie and get a listing of all your friends.

The beauty of this is that once a user allows your application access to their account they don't have to do it again. This means that the next time they visit your site and click on the link to sign in with twitter, it will immediately redirect them to your callback page with the request token. It's all very seamless because from the user's perspective if they are logged into Twitter they are logged into your site. Very cool.

A look at the code

Every file loads in the dependencies. These are the includes at the top of each page.

include 'EpiCurl.php';
include 'EpiOAuth.php';
include 'EpiTwitter.php';
include 'secret.php';

Anytime you want to make requests to Twitter you need to instantiate the EpiTwitter class. The constructor takes a minimum of two parameters: your consumer key and consumer secret.

$twitterObj = new EpiTwitter($consumer_key, $consumer_secret);

To obtain the authenticate url which starts the flow you simply call the correct function.

$authenticateUrl = $twitterObj->getAuthenticateUrl();

Once the user authenticates with Twitter they are redirected back to your callback url along with a request token. We need to exchange the request token for an access token. For simplicity we will save the access token to a cookie so we can make subsequent calls. On this page we will use the setToken method to set the access token and secret. As we will see on the next page, these can be passed in as parameters to the constructor as well.

$twitterObj->setToken($_GET['oauth_token']);
$token = $twitterObj->getAccessToken();
$twitterObj->setToken($token->oauth_token, $token->oauth_token_secret);
setcookie('oauth_token', $token->oauth_token);
setcookie('oauth_token_secret', $token->oauth_token_secret);

Since we saved the access token in a cookie we can make calls to twitter on behalf of the user for as long as the cookies are valid.

$twitterObj = new EpiTwitter($consumer_key, $consumer_secret,
    $_COOKIE['oauth_token'], $_COOKIE['oauth_token_secret']);

$twitterInfo= $twitterObj->get_statusesFriends();
try{
  foreach($twitterInfo as $friend) {
    echo $friend->screen_name;
  }
}catch(EpiTwitterException $e){
  echo $e->getMessage();
}

Update: If you don't access any of the response variables then there is no guarantee that the call completes. This should also be done in a try/catch block since a non-200 response will throw an exception.

That's all! If you're still interested in learning more about OAuth then the following links are invaluable.