Generating a request_token should only happen when a user shows intent to sign into your site. It requires making an API request to Twitter. In your implementation this page should generally have no HTML rendered and instead do a redirect to the generated URL.
First we set need to autoload the TwitterOAuth class and the need Twitter application details. We will also construct a TwitterOAuth instance with the application consumer_key and consumer_secret.
require 'vendor/autoload.php';
use Abraham\TwitterOAuth\TwitterOAuth;
define('CONSUMER_KEY', getenv('CONSUMER_KEY'));
define('CONSUMER_SECRET', getenv('CONSUMER_SECRET'));
define('OAUTH_CALLBACK', getenv('OAUTH_CALLBACK'));
$connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET);
Authorizing access to a users account through OAuth starts with getting a temporary request_token. This request_token is only good for a few minutes and will soon be forgotten about.
Request
$request_token = $connection->oauth('oauth/request_token', array('oauth_callback' => OAUTH_CALLBACK));
Response Live
array(3) {
["oauth_token"]=>
string(27) "jjFYkAAAAAAAAAAbAAABhy-YmlE"
["oauth_token_secret"]=>
string(32) "Qa3kxmoEvkROolyIHw0KFoSEnVcseiJf"
["oauth_callback_confirmed"]=>
string(4) "true"
}
This demo site uses basic PHP sessions but you can use whatever session/storage implementation you want.
$_SESSION['oauth_token'] = $request_token['oauth_token']; $_SESSION['oauth_token_secret'] = $request_token['oauth_token_secret'];
Here we are building a URL the authorizing users must navigate to in their browser. It is to Twitter's authorize page where the list of permissions being granted is displayed along with allow/deny buttons.
Request
$url = $connection->url('oauth/authorize', array('oauth_token' => $request_token['oauth_token']));
Response Live
string(79) "https://api.twitter.com/oauth/authorize?oauth_token=jjFYkAAAAAAAAAAbAAABhy-YmlE"