As a guideline, I used Shannon Whitley’s code, since that’s the only .Net reference Twitter gives for OAuth implementation.  Since I had already created my own Twitter library that consumed 95% of the current Twitter REST API methods, I couldn’t simply add his two code files to my project and run with it.  I had to change some stuff around to get it to work with mine.  I also made some modifications to his class that makes all of the OAuth implementations.  In my opinion, it had a lot of code that didn’t need to be there.  I also created another class to consume the parameters needed for the OAuth requests so that I wasn’t passing 9 parameters to different methods.

So first, I want to explain OAuth a little and how it works for a desktop Twitter client.  I stress desktop application because Twitter has different implementations for web clients vs. desktop clients.

So OAuth is an open protocol to allow secure authorization to an API.  This means that for Twitter, the user’s of a desktop client aren’t required to give their username and password to the client.  The client can use OAuth to communicate with with the Twitter API without needing usernames and passwords.

Now for the process.  This was the toughest part for me to get my head around.  I couldn’t really find any good explanations of each step of the process.  So I will explain as much as I can.

Your first step is to register your application with Twitter.  This does a couple of things.  It gives you a “Consumer Key” and “Consumer Secret”.  These are needed in each OAuth request that is made.  This also provides the “source” for the tweets.  Twitter recently removed the ability to set the “source” of the tweet to your application name when using Basic Authentication.  This is now only allowed when using OAuth.

When making requests to OAuth methods, there are a number of parameters that are required for all requests.  And depending on the request, some may be expecting additional parameters.  The required parameters for all requests are:

1.  Consumer Key – given when you register your application.
2.  Nonce – a random string.  I use a GUID.  Some use a random number.
3.  Timestamp – the number of seconds since January 1, 1970.
4.  Signature – an HMAC-SHA1 string of all of the other parameters.
5.  Signature Method – HMAC-SHA1.  Currently Twitter only supports HMAC-SHA1.
6.  Token – unauthorized/request/access token.
7.  Verifier – the PIN from the Desktop Workflow
8.  Version – “1.0″

When creating the signature, you will use the Consumer Secret and Token Secret as the key.  Also, the parameters that are part of the signature need to be in order when creating the signature and when making the request.  The signature is appended to the end of the parameters so it does not need to be in order.

Here is the order that the parameters need to be in:

1.  oauth_consumer_key
2.  oauth_nonce
3.  oauth_signature_method
4.  oauth_timestamp
5.  oauth_token
6.  oauth_verifier
7.  oauth_version
8.  oauth_signature

To make the signature, you would use this code:

HMACSHA1 hmacsha1 = new HMACSHA1();
hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&{1}", UrlEncode(oauth.CustomerSecret), string.IsNullOrEmpty(oauth.TokenSecret) ? "" : UrlEncode(oauth.TokenSecret)));
// code to compute the hash to return as the signature

Moving to the code, your first step is to send an HttpWebRequest to http://twitter.com/oauth/request_token .  This request will return an Unauthorized Token and Unauthorized Token Secret.  In the current library that I used(and my Twitter API library), this method will return the entire URL including the token and secret, which will look like this…

http://twitter.com/oauth/authorize?oauth_token=UnauthorizedTokenValue

Your next step is to have the user go to the URL that was returned from the previous step.  This is the step that many developers have complained about.  When navigating to this URL, the user will enter their username and password.  They will then be given a PIN.  You will need to get this PIN from the user because it is required for you to get an Access Token.  I simply give a textbox for the user to copy and paste to.

After receiving the PIN, you will now need to make a request to http://twitter.com/oauth/access_token .  This will give you the Access Token that you will need to make all other requests to the Twitter REST API.  You will need to save these somewhere, whether it be in a database or in a file.

Here is some client code..

TwitEclipseAPI twit = new TwitEclipseAPI();
twit.OAuthConsumerKey = ""; // your consumer key
twit.OAuthConsumerSecret = ""; // your consumer secret

// Once you get the access token, this
//    would be out to set it
//twit.OAuthAccessToken = "";
//twit.OAuthAccessTokenSecret = "";

string redirectURL = twit.OAuthGetUnauthorizedRequestToken();
Process.Start(redirectURL);

// show a popup to enter PIN
frmEnterPIN f = new frmEnterPIN();
f.ShowDialog();
string pin = f.PIN;
f.Dispose();

if (twit.OAuthRequestAccessToken(pin))
{
   twit.UpdateUserStatus("This is a test");
}

I have posted a link to the code files for my library and how it uses the edited version of Shannon’s library.

Post any questions in the comments.  I will answer them as best I can.  If  you run into any issues, please let me know.  Thanks.

UPDATE: I have update the site with a new version of my twitter library.  I have also moved the download to CodePlex so that it will be easier for me to update.  Here is the link.