Safe Twitter OAuth authentication in JavaScript / jQuery (plus server side helper)

Question

What is the best way to do Twitter OAuth authentication safely in JavaScript?

I am trying to write a program to let the user analyze his Twitter usage and followers / friends. I've written a server side version which works using the python tweepy module.

I would like to share it with people, but I would like it to run in the browser to be scalable vs. running on my small server.

I see another question where the upshot is that it's not recommended and not safe: JavaScript OAuth sign in with Twitter

Which makes sense if one were sending the consumer (app) secret or access (user) secret in the app's JavaScript.

But why couldn't I build the URL on the server side like here - http://djangosnippets.org/snippets/1353/

Then send the authentication URL back to the browser, something like this from the OAuth Tool on Twitter's My Applications page (not valid credentials)

GET&https%3A%2F%2Fapi.twitter.com%2F1%2F&get%252Faccount%252Fverify_credentials_json%3D%26oauth_consumer_key%GD0bgcgMU4MDwNfKQpLFQS3%26oauth_nonce%3D24ad5049501dee1292afd8cf22307d68%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1329173626%26oauth_token%uPUpxsBc3D283768289LtQ6R1Ez1KeD8DOSsm5XpqJaKI28ysYh%26oauth_version%3D1.0

Then have jQuery use that to authenticate with the user's credentials and run the analysis.

It's a significant piece of work, I'd hate to do that and then find out it doesn't work or is an unsafe approach. (or it's already been done)

Is that safe? It doesn't seem to expose any secrets.

Will that work?

Any pointers/examples on the right way to do the authentication for a jQuery noob, with the necessary Authorization: header and cookie/redirect processing?

I feel like I'm missing something and either there's a reason this won't work, or it should already exist somewhere, but haven't found it. Many thanks!

Answer 1

The problem Mr. McNuts, is that the oAuth requires you to pass in your consumer secret, so even if you build the URL on the server, you'll still pass it back to the webpage, which will still expose your consumer secret via an HTTP Proxy.

To prevent exposing your secret, you'll need to use a proxy to do the twitter auth request, and return the oauth token back to the browser. If you're really worried about scale, I would look at a pay-for-scale solution like GAE or Heroku.

Answer 2

I don't understand very well the approach you are proposing. But in general terms OAuth can not be done safely implemented on a browser client side (except secure close environments like Java or Flash). Implementing OAuth process on Javascript is quite possible but you will expose your secret/consumer token. So anybody would be able to supplant your application identify with mischievous intentions like stealing your users sensitive data. If you still want to work with JS, I recommend you to implement the secure process (authentification and final token storage) on server side using Node.js