twitteroauth icon indicating copy to clipboard operation
twitteroauth copied to clipboard

Published 20 hours ago verified publisher icon abraham

Is OAuth 2.0 with PKCE flow supported?

Open antsstyle opened this issue 3 years ago • 3 comments

Hi everyone,

Just wondering in case I've missed it - is Twitter's OAuth 2.0 with PKCE flow supported in TwitterOAuth? I can't find mention of it anywhere in the docs, and the methods I can find only seem to support OAuth 1.0a.

Still figuring out exactly how the PKCE flow works with Twitter, sorry if I missed something obvious somewhere!

antsstyle avatar Feb 22 '22 17:02 antsstyle

I believe this will require some work but I haven't had time to look into it yet.

abraham avatar Feb 28 '22 13:02 abraham

Alright. I'm looking into it during the month - if I figure it out, if I have time I'll make a pull request, or if not I'll post my findings here.

antsstyle avatar Mar 01 '22 22:03 antsstyle

Writing an update here, have managed to get OAuth2 with PKCE working and making requests successfully. The main pitfalls were getting the authorize URL correct and putting correct scopes on the access tokens.

The example pseudocode here for a Confidential Client app that can keep its client secret secure. I'll try and write a proper explanation and some better code if I get time. Sorry for the not-so-great code quality xD twitteroauth2pkce.zip

antsstyle avatar Mar 08 '22 18:03 antsstyle

Hi @abraham . Is this supported now by any chance? Doesn't seem like, but I'd like to confirm with you 😊 Thank you!

ghnp5 avatar Nov 19 '22 00:11 ghnp5

OAuth2 with PKCE for Twitter APIv2 is supported by The PHP League with https://github.com/smolblog/oauth2-twitter

You can use smolblog/oauth2-twitter to generate the Bearer Token and then use it in abraham/twitteroauth.

// Create the Auth provider
$twitterProvider = new Smolblog\OAuth2\Client\Provider\Twitter([
            'clientId'          => $this->clientId,
            'clientSecret'      => $this->clientSecret,
            'redirectUri'       => ....,
        ]);
....
$authUrl = $twitterProvider->getAuthorizationUrl(['scope' => self::SCOPE_PERMISSIONS]);
// Redirect to grant the permissions
...
// Exchange the answered code to the token
$bearerToken = $provider->getAccessToken('authorization_code', [
    'code' => $code,
    'code_verifier' => $oauth2verifier,
]);

....
// Use the bearer token
$twitterOAuth = new Abraham\TwitterOAuth\TwitterOAuth(
            $this->consumerKey,
            $this->consumerSecret,
            null,
            $bearerToken->getToken()
        );

anibalsanchez avatar May 22 '23 10:05 anibalsanchez

TwitterOAuth is in maintenance mode and major improvements are no longer planned. https://github.com/abraham/twitteroauth/issues/1188

abraham avatar Jul 24 '23 03:07 abraham