What is oauth_token_secret in Twitter OAuth

Question

When I get an access token from Twitter I get something like the following:

oauth_token=14410002-F5Bi8hMpQbXamM8MBBw8zw2LYIBL4FEBvxLZfaSwX&oauth_token_secret=K8QNvDcC2f9qtGU8tfa75exwLZ2Sc1jeHrThnk6Co&user_id=14410002&screen_name=blueonion

What is the oauth_token_secret? Is that what is used to sign protected requests or is the consumer_key still used.

Answer 1

The short answer is: The oauth_token and the oauth_token_secret both make up the Request token which is used to sign requests.

Here are some resources which might help:

• the OAuth specification (esp. section 6)
• Twitter Single-user OAuth with Examples
• The terminology part of the OAuth guide

This is not the consumer key. The consumer key is only used for identifying the consumer (= the code which calls Twitter) while the Request Token is bound to the user. The Request Token consists then of a public and a secret part which are both used for signing the request as explained in the specification in section 9.

But you probably want to use one of the libraries and have a look at the examples.

Answer 2

this is actually a really good question because twitter appears to have broken the oauth 1.0 standard on this requirement. i found out by accident that if you omit the oauth_token_secret from the signing key, ie.

$signing_key = encode_rfc3986($consumer_secret).'&';

instead of

$signing_key = encode_rfc3986($consumer_secret).'&'.encode_rfc3986($oauth_token_secret);

when requesting the access token, both will work just the same for twitter.

on my website i developed twitter oauth before i developed any other oauth 1.0 service provider authentication and i couldnt figure out why an oauth_token_secret was even needed. once i tried the same code out on yahoo and linkedin i had a nasty shock since the same code that worked for twitter did not work on the other service providers (ie i was using the first snippet above when i should have been using the second snippet)