skip to Main Content

Why I got -4 by the community?
Nobody knows the answer so they give me -4 for asking question you cannot figure out? Please explain… The question is highly technical and hard and deserve much better reaction in the community. Unless i will start asking easy questions…

Wrong answers i got:
1. “Just call the OAuth endpoint with your user and password”
No, I tracked all browser request from login to the action of follow(when the bearer token is needed) and at no time the browser calls the server to get the bearer token. so it is not that easy. Nonetheless the browser has the bearer token as it sends it after login, when you want to do an action such as follow. (this is why it generates it in JS from login data)

  1. “just use the auth_toekn”
    No, the auth_token and the bearer are both needed and sent when you follow, if one is missing the call will fails, and they are very different from each other…

  2. Please do not answer that twitter has an API, I know and it is not the question.

This is a hard question for really advanced developers. I am trying to research how Twitter Creates the bearer_token. This token is provided later on after login to follow or to do any other actions.

I put fiddler on, and after a successful login throguh twitter website (not an app or anything) Twitter calls:
https://twitter.com/sessions

This functions returns 5 cookies:

set-cookie: fm=0; Expires=Mon, 19 Mar 2018 23:58:22 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly
set-cookie: ads_prefs="HBERAAA="; Expires=Thu, 16 Mar 2028 23:58:32 GMT; Path=/; Domain=.twitter.com
set-cookie: kdt=1lMiTzCNWYEh4IrZmXmF1t9cjAT4LNVfUhfvBIa5; Expires=Tue, 17 Sep 2019 23:58:32 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly
set-cookie: _twitter_sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCMcps0BiAToMY3NyZl9p%250AZCIlZWM2ZmU1M2RlOGU3NmI4Yzc4ZDY4MTg3YmFiMmNlZTk6B2lkIiUyOTg4%250AOGE4NTY0MDNmNTY5NGU0YzM0MTI2ZjNkNWNhZjoJdXNlcmwrB5ynikA%253D--dc71be55646bbc98ff0043e50e7fe15c4fa80cc4; Path=/; Domain=.twitter.com; Secure; HTTPOnly
set-cookie: remember_checked_on=1; Expires=Thu, 16 Mar 2028 23:58:32 GMT; Path=/; Domain=.twitter.com
set-cookie: twid="u=1082828700"; Expires=Thu, 16 Mar 2028 23:58:32 GMT; Path=/; Domain=.twitter.com; Secure

set-cookie: auth_token=7d7c0e23f8c669ff78b921b5a451c7e60f001b6b; Expires=Thu, 16 Mar 2028 23:58:32 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly

Later on when I follow somebody twitter calls to:
https://api.twitter.com/1.1/friendships/create.json
Among the headers that are sent on this post request one important header is:
“authorization: Bearer” AAAAAAAAAAAAAAAAAAAAAPYXBAAAAAAACLXUNDekMxqa8h%2F40K4moUkGsoc%3DTYfbDKbT3jJPCEVnMYqilB28NHfOPqkca3qaAxGfsyKCs0wRbw

My questions is simple but important for my research, how is this Bearer token created?

  1. Obviously it is created on the client side through Js, as inspecting all the twitter calls from login to follow(where bearer is used) no other call, calls to the server to get the bearer token. this is a fact after a long research

  2. I suspect that through some
    sort of encoding, the auth_token, twid or kdt or a combination of those headers sent to me after login, the bearer token is created on the client side and then sent to server.

  3. after investigating all the js files of twitter (and unminifing them using online tool) i came up with some functions that create it, but still cannot find a way to create the bearer token on my side?
    Any help will be highly appreciated, i am sure the concept is easy bearer token generated on client side through data got from login cookies. but i cannot figuere out how, and the js is hard to understand….

here are some snipseet taken from 3 files:

  <link rel="preload" href="https://abs.twimg.com/k/en/init.en.ace7071c803c455c5d97.js" as="script">
      <link rel="preload" href="https://abs.twimg.com/k/en/0.commons.en.de7b4986f9ad407bc0e4.js" as="script">
      <link rel="preload" href="https://abs.twimg.com/k/en/8.pages_home.en.9ee19c8cf9256226b254.js" as="script">

this._addBearerTokenToUrl = function(t, e) {
                    return t ? h.a.addToUrl(e, {
                        bearer_token: t
                    }) : e




function n() {
            var t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : u;
            return function(e, i) {
                var n = {
                    authorization: "Bearer " + t
                };
                a.a.user.id && (n["x-twitter-auth-type"] = "OAuth2Session");
                var o = Object(r.a)(c);
                return o && (n["x-csrf-token"] = o), e.headers = s({}, e.headers, n), i(e)
            }
        }

 function n() {
            var t = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : u;
            return function(e, i) {
                var n = {
                    authorization: "Bearer " + t
                };
                a.a.user.id && (n["x-twitter-auth-type"] = "OAuth2Session");
                var o = Object(r.a)(c);
                return o && (n["x-csrf-token"] = o), e.headers = s({}, e.headers, n), i(e)
            }
        }

                    if (i.useOAuthSessionAuth) {
                        var E = this.getCsrfToken();
                        S = {
                            authorization: "Bearer " + k,
                            "x-twitter-auth-type": "OAuth2Session",
                            "x-csrf-token": E
                        }, x = {
                            withCredentials: !0
                        }
                    }

2

Answers


  1. How is this Bearer token created?

    That is specific to the server implementation, but for sure it is not generated on the client. The token contains some information that can lead back that token to your user (similar to a logon cookie would do for you).

    You can’t generate such token yourself. If you could, you could create one for me without knowing, which is a huge security loophole. You can however obtain a token through some sort of authentication endpoint, usually something OAuth like (on which you can read more here in the Twitter docs).

    For what I know, OWIN (the ASP.NET OAuth server implementation) using an encryption mechanism that uses the machine key registered in the machine.config as input to ensure only the proper servers can decrypt the token.

    Login or Signup to reply.
  2. Will when you load the home page in twitter ,the barer is in the content ,i ussely extract it from there ,and i did not find where the request to server side code get from,also you have to wait until page is loaded and then extract the auth token

    Search for : bearer_token

    and also the token only received once on the login and then cached if you extract the cache you will probably find it there , try to monitor the login requests and make sure that you cleared the cache to find the request

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search