Sign in with oAuth where Twitter.com is blocked

Just looking for an app that lets you bypass oAuth? If you have access to Twitter.com somewhere, Try this.

In two days, Twitter will start to shut down basic authentication on their API. The only way to connect to the API will then be by using oAuth. This means that on every computer where you want to use a Twitter web app, you’ll have to go to Twitter.com to give it access to your account.

However, in some places Twitter.com is being blocked – by censoring governments or overly zealous system administrators. That means that users in those places can no longer use Twitter. (As explained in my earlier post on the consequences of oAuth for Chinese web users.) But as an app developer it’s quite easy to build a workaround for some of those blocked users.

The workaround I’ll explain will work for users who can’t access Twitter in one place, but who do have access to Twitter.com somewhere else. (In fact, this method isn’t limited to just Twitter – it should work for any oAuth based sign in.)

The Twitter.com/oAuth bypass in 10 steps

1. The user signs in where he does have access to Twitter.com. Your app stores his oauth_token and oauth_token_secret.
2. You offer your user a “request sign in transfer” link. Clicking this link takes him to a form.
3. In this form, your user fills in his email address and chooses a password for this transaction.
   
   

   Request Sign in transfer

4. Your app takes the oauth_token and oauth_token_secret, and encrypts them using the password as encryption key.
5. Your app adds the encrypted token and secret as get-parameters to a link to a transfer sign in page, and emails it to your user.
   
   

   Email with sign in instructions

6. The user opens the email on the computer where de does not have access to Twitter.com, and clicks the link.
7. Your app asks the user to enter the password he picked for the transaction.
   
   

   Sign in with password

8. Your app decrypts the token and secret get variables with the password as decryption key.
9. Your app signs the user in to Twitter and stores the token and secret.
10. Your user tweets how happy he is with this solution.

If you want to see this method it in action, check out Creating a sign in for where Twitter.com is blocked in my web app Twimply.