How should I authorize twitter on a clients website?

Question

I am using Linq-to-twitter on a website I am working on at the moment. All I want to do is grab my clients latest tweets and list them on the site.

I have created an app in my own twitter account for the client.

I cannot work out if I should use Single User Authentication or Application Authentication.

On the face of it, Application Authentication seems to be the right one but I am unsure about the process. Do I setup a page where my client can go to authorize the app and then store the token? It is unclear in documentation if that token ever expires.

Or should I be using Single User Authentication and use the token generated in my own twitter account? Is there any downside to that or security risk if the site gets passed off to someone else to work on and they get the token? (I did set application to read only but its my first time using twitter so I am not sure)

Any advice appreciated as I am rather confused.

Answer 1

Application Authentication is attractive because it gives you more requests. However, not all queries allow application authentication because the query is made on behalf of a user, whereas application authentication is non-user specific. If you have a query that is on behalf of a user (as if that user logged in), single-user authorization would be appropriate.

LINQ to Twitter has demos, including ASP.NET WebForms or MVC, in the downloadable source code. Those demos assume that the user is going through the OAuth authorization sequence. However, if you use application or single user authorization, all you need to do is load credentials and use the TwitterContext without taking the user through that process. The Console Demos have examples of each type of authorization.

Here's an example of instantiating an ApplicationOnlyAuthorizer:

var auth = new ApplicationOnlyAuthorizer()
{
    CredentialStore = new InMemoryCredentialStore
    {
        ConsumerKey = ConfigurationManager.AppSettings["consumerKey"],
        ConsumerSecret = ConfigurationManager.AppSettings["consumerSecret"]
    },
};

And here's an example of a SingleUserAuthorizer:

var auth = new SingleUserAuthorizer
{
    CredentialStore = new SingleUserInMemoryCredentialStore
    {
        ConsumerKey = ConfigurationManager.AppSettings["consumerKey"],
        ConsumerSecret = ConfigurationManager.AppSettings["consumerSecret"],
        AccessToken = ConfigurationManager.AppSettings["accessToken"],
        AccessTokenSecret = ConfigurationManager.AppSettings["accessTokenSecret"]
    }
};

All of the credentials come from the Application's page in the Twitter account.

In either case, the credentials are loaded, so you don't need to take the user through the OAuth process and just create a new TwitterContext, like this:

await auth.AuthorizeAsync();
var twitterCtx = new TwitterContext(auth);

Tokens don't expire. So, you can reload the same tokens every time you instantiate the authorizer.

Here's one approach you can use to minimize security risk with sharing credentials. Use the customer's user account or create a new user account on behalf of the customer. Then create an application under the customer's account and use those credentials. You can give the customer access to the new account and they will be responsible for their own credentials.