User Authentication with Codeigniter 1.7 using Twitter oAuth

5 min read

(Read more interesting articles on CodeIgniter 1.7 Professional Development here.)

How oAuth works

Getting used to how Twitter oAuth works takes a little time.

When a user comes to your login page, you send a GET request to Twitter for a set of request codes. These request codes are used to verify the user on the Twitter website.

The user then goes through to Twitter to either allow or deny your application access to their account. If they allow the application access, they will be taken back to your application. The URL they get sent to will have an oAuth token appended to the end. This is used in the next step.

Back at your application, you then send another GET request for some access codes from Twitter. These access codes are used to verify that the user has come directly from Twitter, and has not tried to spoof an oAuth token in their web browser.

Registering a Twitter application

Before we write any code, we need to register an application with Twitter. This will give us the two access codes that we need. The first is a consumer key, and the second is a secret key. Both are used to identify our application, so if someone posts a message to Twitter through our application, our application name will show up alongside the user’s tweet.

To register a new application with Twitter, you need to go to You’ll be asked for a photo for your application and other information, such as website URL, callback URL, and a description, among other things.

You must select the checkbox that reads Yes, use Twitter for login or you will not be able to authenticate any accounts with your application keys.

Once you’ve filled out the form, you’ll be able to see your consumer key and consumer secret code. You’ll need these later. Don’t worry though; you’ll be able to get to these at any time so there’s no need to save them to your hard drive. Here’s a screenshot of my application:

Downloading the oAuth library

Before we get to write any of our CodeIgniter wrapper library, we need to download the oAuth PHP library. This allows us to use the oAuth protocol without writing the code from scratch ourselves.

You can find the PHP Library on the oAuth website at Scroll down to PHP and click on the link to download the basic PHP Library; or just visit:—the file you need is named OAuth.php.

Download this file and save it in the folder system/application/libraries/twitter/—you’ll need to create the twitter folder. We’re simply going to create a folder for each different protocol so that we can easily distinguish between them.

Once you’ve done that, we’ll create our Library file. Create a new file in the system/application/libraries/ folder, called Twitter_oauth.php. This is the file that will contain functions to obtain both request and access tokens from Twitter, and verify the user credentials.

The next section of the article will go through the process of creating this library alongside the Controller implementation; this is because the whole process requires work on both the front-end and the back-end. Bear with me, as it could get a little confusing, especially when trying to implement a brand new type of system such as Twitter oAuth.

Library base class

Let’s break things down into small sections. The following code is a version of the base class with all its guts pulled out. It simply loads the oAuth library and sets up a set of variables for us to store certain information in. Below this, I’ll go over what each of the variables are there for.

require_once(APPPATH . 'libraries/twitter/OAuth.php');
class Twitter_oauth
var $consumer;
var $token;
var $method;
var $http_status;
var $last_api_call;

The first variable you’ll see is $consumer—it is used to store the credentials for our application keys and the user tokens as and when we get them.

The second variable you see on the list is $token—this is used to store the user credentials. A new instance of the oAuth class OAuthConsumer is created and stored in this variable.

Thirdly, you’ll see the variable $method—this is used to store the oAuth Signature Method (the way we sign our oAuth calls).

Finally, the last two variables, $http_status and $last_api_call, are used to store the last HTTP Status Code and the URL of the last API call, respectively. These two variables are used solely for debugging purposes.

Controller base class

The Controller is the main area where we’ll be working, so it is crucial that we design the best way to use it so that we don’t have to repeat our code. Therefore, we’re going to have our consumer key and consumer secret key in the Controller. Take a look at the Base of our class to get a better idea of what I mean.

class Twitter extends Controller
var $data;
function Twitter()
$this->data['consumer_key'] = "";
$this->data['consumer_secret'] = "";

The global variable $data will be used to store our consumer key and consumer secret. These must not be left empty and will be provided to you by Twitter when creating your application. We use these when instantiating the Library class, which is why we need it available throughout the Controller instead of just in one function.

We also allow for sessions to be used in the Controller, as we want to temporarily store some of the data that we get from Twitter in a session. We could use the CodeIgniter Session Library, but it doesn’t offer us as much flexibility as native PHP sessions; this is because with native sessions we don’t need to rely on cookies and a database, so we’ll stick with the native sessions for this Controller.


Please enter your comment!
Please enter your name here