Twitter 3-legged authorization in Ruby

Question

I am trying my hand ruby on rails. Mostly I have written code in Sinatra. Anyway this question may not have to do anything with framework. And this question may sound a very novice question. I am playing with Twitter 1.1 APIs and OAuth first time.

I have created an app XYZ and registered it with Twitter. I got XYZ's consumer key i.e., CONSUMER_KEY and consumer secret i.e. CONSUMER_SECRET. I also got XYZ's own access token i.e ACCESS_TOKEN and access secret i.e. ACCESS_SECRET

XYZ application type: Read, Write and Access direct messages XYZ callback URL: http://www.mysite.com/cback And I have checked: Allow this application to be used to Sign in with Twitter

What I am trying to do is very simple:

1) Users come to my website and click a link Link your twitter account (not signin with twitter)
2) That opens twitter popup where user grants permission to XYZ to perform actions on his/her behalf
3) Once user permits and popup gets closed, XYZ app gets user's access token and secret and save in the database.
4) Then XYZ uses that user's token and secret to perform actions in future.

I may be moron that such work flow has been implemented on several thousands sites and Twitter API documentations explain this 3-legged authentication, still I am unable to figure it out.

I have read https://dev.twitter.com/docs/auth/3-legged-authorization and https://dev.twitter.com/docs/auth/implementing-sign-twitter Unfortunately no ruby code found on internet that explains with step by step example.

What link should be used to open twitter authentication page when user clicks Link your twitter account. Can anyone here, write some pseudo code with my pseduo credential above to achieve my goal from beging till end of this work flow? Thanks.

UPDATE:

I started with requesting request token as

require 'oauth'
consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET,
{ site: "https://twitter.com"})
request_token = consumer.get_request_token oauth_callback: 'http://www.mysite.com/tauth'
redirect_to request_token.authorize_url

Answer 1

I'm not familiar with ROR but here is the workflow of the OAuth 'dance' that you need to follow when the user clicks your button:

1. Obtain an unauthorized request token from Twitter by sending a request to

   POST https://api.twitter.com/oauth/request_token

   signing the request using your consumer secret. This will be done in the background and will be transparent to the user.

2. You will receive am oauth_token and oauth_token_secret back from twitter.

3. Redirect the user to

   https://api.twitter.com/oauth/authorize?oauth_token=[token_received_from_twitter]

   using the oauth token value you received from Twitter in step 2.

4. When the user authorizes your app they will be redirected to your callback url with oauth_token and oauth_verifier appended to the url. i.e.

   http://www.mysite.com/cback?oauth_token=NPcudxy0yU5T3tBzho7iCotZ3cnetKwcTIRlX0iwRl0&oauth_verifer=uw7NjWHT6OJ1MpJOXsHfNxoAhPKpgI8BlYDhxEjIBY

5. Convert the request token into an access token by sending a signed request along with the oauth_verifier to

   POST https://api.twitter.com/oauth/access_token

   signing your request with your consumer secret and the token secret received in step 2.

6. If everything goes ok, you will receive a new oauth_token and oauth_token_secret from Twitter. This is your access token for the user.

7. Using the access token and secret received in step 6 you can make Twitter api calls on behalf the the user by sending signed requests to the appropriate api endpoints.