Is there a way to get a user's email ID after verifying his/her Twitter identity using OAuth?

Question

I am new to OAuth and have been playing around with the Twitter API. I am able to fetch the credentials of a user after authentication by making a request to http://api.twitter.com/1/account/verify_credentials.xml. The response contains the user id, screen name etc. but not the email ID.

Is it possible at all to retrieve the email ID of the user?

Update

I believe Facebook provides this information if you specifically request for extended permissions. Is there something similar for Twitter?

@Philip: :P I agree and I suspect there isn't, but I wanted to verify and report back to He Who Signs The Cheques. — Manoj Govindan, Aug 30 '10 at 10:47
@Philip Potter why do you say this? the email address is the key point of reference between most of the oauth providers. if you have a website with 3rd party login functionality (such as this website) and a user logs in with twitter, then only unique identifier which can be used is the user_id. if next time the user comes along and logs in with google then you have no way of knowing that this is the same user as before. however if two different 3rd party providers give an email address then we can be sure it is the same person (as long as the email address is verified by the 3rd parties) — mulllhausen, Jun 29 '11 at 14:16
@mulllhausen the same person can have different email accounts anyway. Its just nicer though to have the email option. I would bake into this the ability to pair multiple accounts together after you are authenticated through one provider instead of relying on the email address which twitter isn't supporting. I'm just saying roll with what you have. — King Friday, Mar 11 '13 at 02:44

DWRoelands · Accepted Answer · 2015-08-18T14:09:30.633

106

The user's email address can not be retrieved via the API. This is a deliberate design decision by the API team.

UPDATE 2015.08.18:

It is possible to request an email address from users, but it requires your app to be whitelisted. See https://dev.twitter.com/rest/reference/get/account/verify_credentials for details of the API call and this form to request whitelisting of your app.

edited Aug 18 '15 at 14:09

answered Sep 02 '10 at 13:31

DWRoelands

4,878
4
29
42

11

Can we file it as bug, I am extremely in need of email address of authenticated user? – jigneshbrahmkhatri Aug 24 '11 at 10:16
9

Too bad and as you have said, a **deliberate** decision. If you are autheticating someone and have your own user database, you need to check if an existing user (with the same e-mail) already exists. – Keyne Viana Nov 12 '11 at 17:59
4

@JigneshBrahmkhatri I had the same issue with my existing User model in my application which required an e-mail address. I fixed that by going the extra step and show the user a form to complete the missing info. – Kenny Meyer Jan 30 '12 at 19:59
24

@KennyM. That's not very secure, I could just type in the email of some account that isn't mine and be paired to that account... – Nahydrin Apr 12 '12 at 16:28
@KennyM. Please don't do that, it's a huge security hole. As Brian Graham has already explained, it's very easy to hack anyone else's account. – Vicky Chijwani Jan 12 '13 at 16:33
still Twitter api team didn't change ? can i get twitter user's email address using twitter api at present date? – Viswa Jan 24 '13 at 06:59
Viswa: No, you currently can not get the user's email address from the Twitter API. There is no reason to expect that this is going to change. – DWRoelands Jan 28 '13 at 18:50
2

Why not ask for their email after the oAuth process? That's what I'm doing in my app. – Ron Feb 20 '13 at 11:44
@BrianGraham - I don't think KennyM means to link to an existing account, I think he means to register a new account. If you register a new account then there is no security risk of linking to someone else's account by typing their email. Am I right or am I missing something? – Wasim Apr 14 '13 at 09:02
1

If you are completing the OAuth process and then asking a user to provide their email address, this is certainly a valid approach to the problem. Obviously, it's up to the individual developer to make sure that they are taking the appropriate steps to be smart and secure when dealing with the email address. – DWRoelands Apr 15 '13 at 14:55
3

When a user signs in with Twitter, I require them to enter an email address as well, then have them verify it before activating their account. Basically I'm just letting them use their Twitter account instead of requiring a password. – Gus Shortz Jun 20 '13 at 23:36
@BrianGraham It definitely depends on how you implement your linking. You could obviously ask the user to confirm the twitter account linking. – Chibueze Opata Mar 11 '15 at 17:27
It is now possible to get the user's email address (if they permit it) by using Twitter xAuth. More info here: https://dev.twitter.com/rest/reference/get/account/verify_credentials – Kevin Traas Aug 13 '15 at 15:30
I made a working example at this repo, thanks to the person who answered. https://github.com/DZuz14/CompleteSignInWithTwitterPHP – Dan Zuzevich Jan 07 '17 at 17:10

score 16 · Answer 2 · answered Jun 25 '12 at 19:05

For OutsourceFactor, which is written in Python / Django, I get the username via oAuth1, then construct an email as "username@twitter.com" which is guaranteed to be unique throughout twitter. Then I hash it to get a nice UUID to be used and associated with my local user account. Same thing for Yahoo. Google and Facebook use oAuth2 and they give me the email address on request which is nice.

To ensure multiple social associations with a single account, I allow social account associations ONLY after the user has locally created an account and is logged in.

So, you have to create an account first (local account), then you can use any of the social oAuth providers to ease your future logins. This is the best bang for the buck for my site.

Anyways, you get some unique form of ID from twitter. So just use it. You can ask for an email address later or before the association.

"providers to ease your future logins", I don't agree with this, because you have already given them trouble by asking them to create a local account by showing a very big form which Customer's always dislike to fill. — RJR, Dec 12 '13 at 10:13
@RJR Well, Twitter is not giving you an email address. So you have to ask for it anyways. In my case, I ask for a password too while I am at it. You might have a site with different requirements, and that is fine too. — Val Neekman, Mar 21 '14 at 19:12

score 3 · Answer 3 · answered May 29 '15 at 14:36

Email address is obfuscated by Twitter in their OAuth responses. Which always have been a great issue for people wanting to include a "Register with Twitter" function.

More recently (early 2015), Twitter have added email address support through a second service call, but under certain, abused, conditions.

https://dev.twitter.com/rest/reference/get/account/verify_credentials

So now it is possible, but my opinion is to continue to implement an OAuth every-provider-but-twitter single sign on. They must be boycotted until they act normally, i mean like every single other OAuth provider.

score 3 · Answer 4 · edited Jul 10 '15 at 09:46

3

In Android using Fabric, I request the user's email address like this:

TwitterAuthClient authClient = new TwitterAuthClient();

authClient.requestEmail(session, new Callback<String>() {

    @Override
    public void success(Result<String> result) {
        // Do something with the result, which provides the email address
    }

    @Override
    public void failure(TwitterException exception) {
      // Do something on failure
    }
});

See http://docs.fabric.io/android/twitter/request-user-email-address.html

edited Jul 10 '15 at 09:46

bish

3,381
9
48
69

answered Jul 10 '15 at 09:09

Paul Muriithi

41
1
5

yes i do same thing for android but unable to get email address in web i also submit request of email address by following this link https://dev.twitter.com/rest/reference/get/account/verify_credentials – Muhammad Waqas Nov 16 '15 at 06:20

score 1 · Answer 5 · edited Mar 29 '16 at 13:10

In my case every time I get the response I got a unique authentication id for every user and its same for that user every time. So I used that id to create a email like unique_id@twitter.com and check if that's already on my site ( for first time it is not ) and then register the user. Then if he logins second time I just again create the email and check if its already on there. By this I don't have to make him create a local account first and can identify him to login.

Igor Simic · Answer 6 · 2017-01-31T04:56:51.327

Here is the example how to get twitter user email in Laravel, and on coditty.com you can find the full example using Angular+Laravel

 // get token secret from db 
        $token = TwitterTokens::where('oauth_token', $request->input('oauth_token'))->first(); 


        // open twitter connection
        $connection = new \Abraham\TwitterOAuth\TwitterOAuth(
                        $this->twitter_consumer_key, 
                        $this->twitter_secret, 
                        $request->input('oauth_token'), 
                        $token->oauth_token_secret// twitter secret from DB
                        );

        // get acces token
        $access_token = $connection->oauth("oauth/access_token", ["oauth_verifier" => $request->input('oauth_verifier')]); 

         // new TwitterOAuth instance to get email
        $twitterOAuth = new \Abraham\TwitterOAuth\TwitterOAuth( $this->twitter_consumer_key, $this->twitter_secret, $access_token['oauth_token'], $access_token['oauth_token_secret'] );

        // Let's get the user's info with email
        $twitterUser = $twitterOAuth->get('account/verify_credentials', ['include_entities' => 'false','include_email'=>'true','skip_status'=>'true',]);


        // output user object from twitter in your Log file
        Log::info(['user'=>$twitterUser]);

A link to a potential solution is always welcome, but please [add context around the link](http://meta.stackoverflow.com/a/8259) so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. Take into account that being _barely more than a link to an external site_ is a possible reason as to [Why and how are some answers deleted?](http://stackoverflow.com/help/deleted-answers). — Tunaki, Dec 04 '16 at 13:18

score 0 · Answer 7 · edited May 23 '17 at 12:32

0

Who said it's not possible ???

I have gotten in my iOS App after whitelisting the App. Check my answer here.

edited May 23 '17 at 12:32

Community

1
1

answered Jun 04 '15 at 07:11

NSPratik

4,714
7
51
81

score 0 · Answer 8 · edited May 23 '17 at 11:46

0

Add this code!

$params = array('include_email' => 'true', 'include_entities' => 'false', 'skip_status' => 'true');

`$data = $connection->get('account/verify_credentials', $params); // get the data`

// getting twitter user profile details $twt_id = $data->id; //twitter user id $twt_email = $data->email; //twitter user email

Checkout full procedure here.

edited May 23 '17 at 11:46

Community

1
1

answered Nov 17 '16 at 08:22

Pran

1,817
23
23

score 0 · Answer 9 · answered Jan 21 '17 at 10:09

Who says you cant get users email, the “Request email addresses from users” checkbox is available under the app permissions on apps.twitter.com. Privacy Policy URL and Terms of Service URL fields must be completed in the app settings in order for email address access to function. If enabled, users will be informed via the oauth/authorize dialog that your app can access their email address.

Is there a way to get a user's email ID after verifying his/her Twitter identity using OAuth?

9 Answers9

Linked

Related