OAuth out of band/PIN authentication with Ruby

OAuth is a protocol used to authenticate an application in order to use the API of a service. Here we’ll use Twitter as an example. The developer documentation of Twitter is a really good resource, when you look for general information or even specific libraries.

It is quite common to authenticate with such services using a callback URL, so this case is pretty easy and well covered. Take for instance the ruby oauth gem, authentication using callback URL is described pretty well in their documentation. But this just works for web applications. If you want to do OAuth with a desktop application or a mobile application you mostly can’t handle callback URLs. So if you are unsure about which authentication to choose, Twitter has an excellent help page called “Which authentication path should I choose?”.

So I realised I needed to do authentication using OAuth out of band/PIN. I found very few resources on how to exactly do that, so here is my solution.


Of course first you need the oauth gem.

gem install oauth

Now you have got to register your application at Twitter. You may then get your consumer key and your consumer secret from the page of your application. Then you can go ahead and I’ll just show you a little script for doing that kind of authentication:

# this makes oauth pretty easy
require 'oauth'
# used to launch the web browser with the authorization page
# gem install launchy
require 'launchy'

consumer = OAuth::Consumer.new(YOUR_CONSUMER_KEY, YOUR_CONSUMER_SECRET, :site => "https://api.twitter.com" )
request_token = consumer.get_request_token

# open browser for authorization
Launchy.open request_token.authorize_url
puts "Please authorize the app to have access to your Twitter account. A pincode will be displayed to you, please enter it here:"
pincode = gets.chomp
# last step of the authentication
access_token = request_token.get_access_token :pin => pincode

access_token.token # user token
access_token.secret # user oauth secret

Be aware of the fact, that you need to (securely) save the token and secret somewhere. But now that you got those you may use the twitter gem, to do whatever your app aims to do with Twitter! So have fun with out of band OAuth authentication!

Sidenote: Where to save your consumer secret is a quite hard problem, you might want to check out this stackoverflow discussion. If you got better ideas please leave a comment 😉

Question or feedback? Please leave a comment!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s