How to exchange authorization code for access token Twitter API?

PaulViorel
March 14, 2022
246 views
0 votes
2 Answers

I am developing an app that will read some tweets stats of my company. I want to let all the employees to connect with their twitter accounts.

I am facing the following problem: I am stuck at the "Exchange authorization code for access token".

The response url after Authorize is: https://example/v1/browser-callback?state=state&code=all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I suppose I have to change the code all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX for access_token and access_token_secret, but I did not find how to do that on the documentation that twitter offers to us.

Answers

- GAOUL
- March 14, 2022 at 12:15 pm
- 0 votes
0
You need first to know the type of flow you are trying to implement

First you need to know what is the grant type of your client_id in the twitter side, i see in the callback there is code that means you are in normal authorization code or Authorization Code Flow with Proof Key for Code (PKCE), to know that check in your first call to twitter if you see in the params code_challenge and code_challenge_method if yes It’s PKCE flow;

Second, I see that you have successfully done the first step of flow, then if you are in the PKCE, you need in your callback to send another request to get a final token like this:
```
        client_id=your client_id&
        code_verifier=the code generated by the application in the first step&
        redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&
        grant_type=authorization_code&
        code=the code sent from twitter
```
Login or Signup to reply.

- randomdatascientist
- December 2, 2022 at 1:20 am
- 0 votes
0
I’m not sure what the docs looked like back in March, but to do this now you simply need to build the request headers with the code argument from the redirect URL. From the example url you gave (https://example/v1/browser-callback), your code is:
all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And the curl request you would make for a private client to retrieve the user’s bearer and refresh token would be:
```
curl --location --request POST 'https://api.twitter.com/2/oauth2/token' 
--header 'Content-Type: application/x-www-form-urlencoded' 
--header 'Authorization: Basic YOUR_BASE64_ENCODED_ClientID:ClientSecret_HERE'
--data-urlencode 'code=all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 
--data-urlencode 'grant_type=authorization_code' 
--data-urlencode 'redirect_uri=https://example/v1/browser-callback' 
--data-urlencode 'code_verifier=challenge'
```
where YOUR_BASE64_ENCODED_ClientID:ClientSecret_HERE is (per the docs):

To create the basic authorization header you will need to base64 encoding on your Client ID and Client Secret which can be obtained from your App’s “Keys and Tokens” page inside of the developer portal.

You’ll need to make this request to get the initial bearer token/refresh token for private clients within 30 seconds of receiving the code at your callback URL after the user has authorized your app.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.