[twitter-dev] Re: Sign out from twitter using Oauth
Sorry, there is currently no way to accomplish this. Nor should there be... there is NO way that any site other than Twitter should control my login status on Twitter. Now to the OP's question: When I logged out from my application, I need to logout from twitter also. What _you_ can do is before you forget the login state of your application, delete an OAuth tokens you have for the logged in user... then when they return to login to your application, the will not-yet have Twitter OAuth tokens, so it will appear that they are not associated with the Twitter account and will have to reauthorize. You can safely keep the Tweep's user id and (less safely) screen name and profile image url around if you want to keep some knowledge of them... Marc -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: Sign out of Twitter through API
Thanks for your response. The problem lies not with my application security, but with the security of the twitter account of my users. Imagine this: 1. User comes to my application and signs in with Twitter. 2. This forces the user to log into Twitter (force_login=true) 3. The user is redirected back to my application and is now authenticated to use it. So far all is fine, but since the computer is public, consider this: 4. User signs out of the application, but doesn't click the button to sign out of Twitter as well (people forget that. because they think its weird to log out twice) 5. The next user comes to use the computer, but instead of using the application, he goes directly to twitter.com 6. Since the last user didn't sign out, the new user can do pretty much anything with the account of the previous user. Regards, Gert On 10 jun, 00:08, themattharris thematthar...@twitter.com wrote: Hey GHengeveld, There was a conversation about this back in April which might be help [1]. In it Taylor explains that OAuth is stateless and that the logged in state of a user is based on your system rather than ours. Your application would be interacting with Twitter using the OAuth tokens for the user as you have identified them. If the user isn't recognised I would expect your widget would detect that and ask the user to authenticate or authorize again. That being said, the method you use to identify the user depends on what you want to do. Also, as the user isn't logged into Twitter through the API the account/ end_session method will have no affect. I'm wondering, have you looked at @anywhere. It may be suitable for what you want to do. Matt 1.http://groups.google.com/group/twitter-development-talk/browse_thread... On Jun 8, 7:25 am, GHengeveld korad...@gmail.com wrote: I'm developing an application designed to run on a public computer, where many users will sign in with Twitter to register for our app. I've been looking for a way to sign the user out of Twitter when they exit the application (though a sign out button). Since we cannot destroy the cookies set by twitter.com, all it does right now is destroy our own session and cookies and show a button which links to the Twitter sign out page (in a popup). We would prefer not to use the popup, but instead sign the user out of Twitter automatically when they sign out of our application. This will greatly reduce the likeliness of people forgetting tologout(and thus allowing access to their own account by the next user). We're already using force_login=true to force a new login when someone connects to our application, but then it could already be too late. Is there any way to call a sign out through the API? Account/end_session seems to be what I'm looking for, but I can't get it to work. Another approach would be to scrape twitter.com for the authenticity_token and call thelogoutfrom through cURL, but this isn't the nicest way to do things and my first attemps have failed so far.
[twitter-dev] Re: Sign out of Twitter through API
Hey GHengeveld, There was a conversation about this back in April which might be help [1]. In it Taylor explains that OAuth is stateless and that the logged in state of a user is based on your system rather than ours. Your application would be interacting with Twitter using the OAuth tokens for the user as you have identified them. If the user isn't recognised I would expect your widget would detect that and ask the user to authenticate or authorize again. That being said, the method you use to identify the user depends on what you want to do. Also, as the user isn't logged into Twitter through the API the account/ end_session method will have no affect. I'm wondering, have you looked at @anywhere. It may be suitable for what you want to do. Matt 1. http://groups.google.com/group/twitter-development-talk/browse_thread/thread/02e44b27d7ba3661 On Jun 8, 7:25 am, GHengeveld korad...@gmail.com wrote: I'm developing an application designed to run on a public computer, where many users will sign in with Twitter to register for our app. I've been looking for a way to sign the user out of Twitter when they exit the application (though a sign out button). Since we cannot destroy the cookies set by twitter.com, all it does right now is destroy our own session and cookies and show a button which links to the Twitter sign out page (in a popup). We would prefer not to use the popup, but instead sign the user out of Twitter automatically when they sign out of our application. This will greatly reduce the likeliness of people forgetting to logout (and thus allowing access to their own account by the next user). We're already using force_login=true to force a new login when someone connects to our application, but then it could already be too late. Is there any way to call a sign out through the API? Account/end_session seems to be what I'm looking for, but I can't get it to work. Another approach would be to scrape twitter.com for the authenticity_token and call the logout from through cURL, but this isn't the nicest way to do things and my first attemps have failed so far.
[twitter-dev] Re: Sign in with Twitter and oauth/authenticate
yeah thanks Just curious why that isn't displayed as an option in my Application details page... Might cause some confusion for anyone who hasn't read the wiki in detail.
Re: [twitter-dev] Re: Sign in with Twitter and oauth/authenticate
Oauth/authenticate was added later and I guess the application detail page was never updated. Abraham On Tue, Jan 19, 2010 at 17:29, eco_bach bac...@gmail.com wrote: yeah thanks Just curious why that isn't displayed as an option in my Application details page... Might cause some confusion for anyone who hasn't read the wiki in detail. -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States
[twitter-dev] Re: Sign in with Twitter, PIN authentication and Desktop Clients
Thanks Ryan On Jan 17, 5:38 pm, ryan alford ryanalford...@gmail.com wrote: 1. Desktop applications are those that are installed or ran from a PC /Mac/Linux or on a mobile device. They are outside of the browser. 2. One is used for web applications, the other is for desktop applications. 3. You are correct. PIN workflow is only for desktop applications. Ryan Sent from my DROID On Jan 17, 2010 5:00 PM, eco_bach bac...@gmail.com wrote: Hi Building an AS3 based web application using OAuth. So far I've coded a demo that successfully obtains a request token, redirects the user to the oauth url, and, on successful login redirects the user back to the previously supplied consumer- application URL. However somewhat confused by several things. 1)Definition of Desktop Clientshttp://apiwiki.twitter.com/Authentication Is a desktop client any web based application? or does it specifically refer to any application OUTSIDE of the browser (ie AIR based)? 2) SignIn with Twitter Can someone explain the difference between 'oauth/authorize' and 'oauth/authenticate' urls? What is meant by 'normal flow' (2nd paragraph) herehttp://apiwiki.twitter.com/Sign-in-with-Twitter 3) PIN handshake My assumption is that the extra PIN handshake is ONLY necessary for what I understand to be desktop clients (ie #1 above) So 'Sign in with Twitter' for a web-based application shouldn't require the extra PIN handshake. Am I correct? Thanks for any feedback on the above!
[twitter-dev] Re: Sign in with Twitter
On Thu, 6 Aug 2009 08:50:05 -0700 (PDT) Dewald Pretorius dpr...@gmail.com wrote: If I understand you correctly, you're saying one should login for the user in the OAuth process? Wouldn't that involve scraping the Twitter web interface? Or am I outside the ballpark with my understanding? I'm saying that, for those who are more worried about losing users with an OAuth login than they are worried about losing them by asking for their Twitter password, it is still possible and desirable to use OAuth. There is a complexity cost, but you can pay it in the back end instead of passing it on to the user interface. The benefits are that the application isn't subject to the verify credentials DoS attack and the app will already be using OAuth if/when basic is discontinued. With OAuth, you authenticate the user, but you never use the verify credentials service to do so. Even if you set up a gateway so that you can use Ajax to log the user into Twitter and verify your own token, you don't verify credentials so much as use them. The API documentation is saying that the OAuth calls aren't rate limited. They don't need to be for security, but they may need to be limited by IP address for performance. The main point is that a user outside of your service can't trip the limit in order to run a DoS attack on your users. Chris Babcock
[twitter-dev] Re: Sign in with Twitter
Jesse, Amen to that. When one does customer support for long enough, you quickly realize that: a) People do not read instructions, and b) Many people are not as computer literate as you'd wish them to be. If you send people all over the place, many go, WTF, and abandon the process out of fear or ignorance. With Basic Auth the process is very simple. Enter the username and password on your site, and click the save button. It shouldn't be any more involved or complicated with OAuth. Dewald On Aug 6, 2:22 am, Jesse Stay jesses...@gmail.com wrote: On Wed, Aug 5, 2009 at 7:32 AM, Duane Roelands duane.roela...@gmail.comwrote: If your users don't understand why they're seeing the Twitter login screen, then your application needs to do a better job of explaining it. Duane I don't think this has anything to do with that. Having worked on e-commerce sites for major e-commerce companies, it has been proven that the more steps a user has to register, the more likely they are to abandon the process, and the more likely you are to lose a sale. This is why Amazon patented the one-click sale. The fact is this (Twitter's auth) takes too many steps, and no amount of explaining ahead of time is going to change that. The more you can keep the users on your own site and reduce the steps necessary to log in, the better. Again, as I mentioned earlier - with Facebook this is one step: click a button, enter your credentials (if you haven't already), and you're done, and they never leave your site to do it. I'd love to see the same for Twitter with unauthenticated users, especially removing the need for them to leave my site to make the authentication happen. Jesse
[twitter-dev] Re: Sign in with Twitter
It's a subtle distinction: users aim to use the application, not the Twitter website. They expect Twitter to ask for their permission, but they don't expect to start using the Twitter website. So they're a little surprised when Twitter asks them to log in. The page doesn't make it clear that they're moving toward the application; it looks like they're moving toward Twitter's UI. Of course the application can warn the user what's going to happen, but I'd prefer to remove the cognitive dissonance. On Aug 5, 4:32 am, Duane Roelands duane.roela...@gmail.com wrote: If your users don't understand why they're seeing theTwitterlogin screen, then your application needs to do a better job of explaining it.
[twitter-dev] Re: Sign in with Twitter
On Thu, 6 Aug 2009 05:09:48 -0700 (PDT) Dewald Pretorius dpr...@gmail.com wrote: Amen to that. When one does customer support for long enough, you quickly realize that: a) People do not read instructions, and b) Many people are not as computer literate as you'd wish them to be. If you send people all over the place, many go, WTF, and abandon the process out of fear or ignorance. With Basic Auth the process is very simple. Enter the username and password on your site, and click the save button. It shouldn't be any more involved or complicated with OAuth. The problem with Basic Auth is that it doesn't know the difference between Authentication and Authorization. It's an oversimplification. The only way to do something *for* someone is to *be* that someone as far as the target system is concerned. A system that is as smart as it needs to be is going to be a little more complicated and involved than that. You can still do a little animated authorize this screen just like Facebook with OAuth. Just set up a gateway on your server and Ajax the whole work flow through the gateway. There's no need to complicate the UX. The complications can go in the back end so that you can get your authenticalization in one click. Chris Babcock signature.asc Description: PGP signature
[twitter-dev] Re: Sign in with Twitter
Chris, If I understand you correctly, you're saying one should login for the user in the OAuth process? Wouldn't that involve scraping the Twitter web interface? Or am I outside the ballpark with my understanding? Dewald On Aug 6, 10:36 am, Chris Babcock cbabc...@kolonelpanic.com wrote: On Thu, 6 Aug 2009 05:09:48 -0700 (PDT) Dewald Pretorius dpr...@gmail.com wrote: Amen to that. When one does customer support for long enough, you quickly realize that: a) People do not read instructions, and b) Many people are not as computer literate as you'd wish them to be. If you send people all over the place, many go, WTF, and abandon the process out of fear or ignorance. With Basic Auth the process is very simple. Enter the username and password on your site, and click the save button. It shouldn't be any more involved or complicated with OAuth. The problem with Basic Auth is that it doesn't know the difference between Authentication and Authorization. It's an oversimplification. The only way to do something *for* someone is to *be* that someone as far as the target system is concerned. A system that is as smart as it needs to be is going to be a little more complicated and involved than that. You can still do a little animated authorize this screen just like Facebook with OAuth. Just set up a gateway on your server and Ajax the whole work flow through the gateway. There's no need to complicate the UX. The complications can go in the back end so that you can get your authenticalization in one click. Chris Babcock signature.asc 1KViewDownload
[twitter-dev] Re: Sign in with Twitter
Some users aren't comfortable giving their Twitter password to another website. For them, it's sort of a good thing to be sent to Twitter's I would hazard a guess that they really are the long tail. Only a small percentage of people would care, most would not but they are going to be penalized with a more complicated system ... seems a bit backward to me. One possibility is for your application (which is what I will do in twitcher) to offer both methods. Then both sets of users are covered, most people can get in quickly and easily by entering name and password; but those that are more careful/concerened can go the more complicated oauth route. Problem is, twitter are going to shut off Basic Auth at some point which is a big mistake IMHO, but hey ho.
[twitter-dev] Re: Sign in with Twitter
I would agree, this area needs some TLC as my post suggested: http://groups.google.com/group/twitter-development-talk/browse_thread/thread/0f57965561504a1c?hl=en
[twitter-dev] Re: Sign in with Twitter
If your users don't understand why they're seeing the Twitter login screen, then your application needs to do a better job of explaining it. On Aug 4, 2:05 pm, John Kristian jmkrist...@gmail.com wrote: a user who's focused on the application won't see the first page and wonder, Why must I log in to Twitter? I want to use application, not the Twitter website.
[twitter-dev] Re: Sign in with Twitter
On Wed, Aug 5, 2009 at 7:32 AM, Duane Roelands duane.roela...@gmail.comwrote: If your users don't understand why they're seeing the Twitter login screen, then your application needs to do a better job of explaining it. Duane I don't think this has anything to do with that. Having worked on e-commerce sites for major e-commerce companies, it has been proven that the more steps a user has to register, the more likely they are to abandon the process, and the more likely you are to lose a sale. This is why Amazon patented the one-click sale. The fact is this (Twitter's auth) takes too many steps, and no amount of explaining ahead of time is going to change that. The more you can keep the users on your own site and reduce the steps necessary to log in, the better. Again, as I mentioned earlier - with Facebook this is one step: click a button, enter your credentials (if you haven't already), and you're done, and they never leave your site to do it. I'd love to see the same for Twitter with unauthenticated users, especially removing the need for them to leave my site to make the authentication happen. Jesse
[twitter-dev] Re: Sign in with Twitter , old access token /secret will be invalid ?
Hi No it will not expired/ invalid you can store it in DB or cookie On Mon, Jul 20, 2009 at 4:33 PM, CG learn@gmail.com wrote: Hi all, I have a newbie question would like to seek the confirmation from experienced twitter app developer ... hopefully somebody can help . I would like to develop a web-based twitter app , which implements Sign in with Twitter , and also post update on behalf of user in background.. My question is 1. If the user sign on my app with Sign in with Tiwtter, it will generate a new pair of access token and secret , in this case , the old access toekn and secret will be expired/ invalid ? CG -- Regards Mandakini
[twitter-dev] Re: Sign in with Twitter , old access token /secret will be invalid ?
What about the pin?(for desktop clients) How long will it be accessible. Regards Srikanth On Mon, Jul 20, 2009 at 4:54 PM, Mandakini kumari pkumar...@gmail.comwrote: Hi No it will not expired/ invalid you can store it in DB or cookie On Mon, Jul 20, 2009 at 4:33 PM, CG learn@gmail.com wrote: Hi all, I have a newbie question would like to seek the confirmation from experienced twitter app developer ... hopefully somebody can help . I would like to develop a web-based twitter app , which implements Sign in with Twitter , and also post update on behalf of user in background.. My question is 1. If the user sign on my app with Sign in with Tiwtter, it will generate a new pair of access token and secret , in this case , the old access toekn and secret will be expired/ invalid ? CG -- Regards Mandakini
[twitter-dev] Re: Sign in with Twitter , old access token /secret will be invalid ?
The pin is only required to exchange the request token for the access token. After you have an access token the pin is useless. Abraham On Mon, Jul 20, 2009 at 07:06, srikanth yaradla srikanth.yara...@gmail.comwrote: What about the pin?(for desktop clients) How long will it be accessible. Regards Srikanth On Jul 20, 4:24 pm, Mandakini kumari pkumar...@gmail.com wrote: Hi No it will not expired/ invalid you can store it in DB or cookie On Mon, Jul 20, 2009 at 4:33 PM, CG learn@gmail.com wrote: Hi all, I have a newbie question would like to seek the confirmation from experienced twitter app developer ... hopefully somebody can help . I would like to develop a web-based twitter app , which implements Sign in with Twitter , and also post update on behalf of user in background.. My question is 1. If the user sign on my app with Sign in with Tiwtter, it will generate a new pair of access token and secret , in this case , the old access toekn and secret will be expired/ invalid ? CG -- Regards Mandakini -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, WI, United States
[twitter-dev] Re: Sign in with Twitter - Flow chart error?
On Sun, Jul 12, 2009 at 20:54, Scott Carter scarter28m-goo...@yahoo.comwrote: I am using as a reference the Sign in with Twitter documentation at: http://apiwiki.twitter.com/Sign-in-with-Twitter When I issue an authenticate call to: https://twitter.com/oauth/authenticate?oauth_token=request_token The callback I get is: callback_url?oauth_token=request_tokenoauth_verifier=verifier Questions: 1. This callback appears to be identical to the authorize response. Is there an error with the flow chart on the Sign in with Twitter page that indicates an authenticate callback will include the access token and token secret? The flow chart was created before oauth/authenticate was added. I'm sure that Twitter will update it now that it has been pointed out. 2. I understand that the advantage of using the authenticate process is that if a user has already authorized an application, they don't need to do it again. Is there any reason to use the authorize process instead? It seems that apps would benefit from always using the Sign in with Twitter authenticate flow. I don't know why more sites don't use authenticate instead of authorize. I think mostly it is by not knowing about it and random TOS issues. Thanks, - Scott Abraham -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private.
[twitter-dev] Re: Sign in with Twitter - Flow chart error?
If you want to give your users the ability to use multiple twitter accounts with your service, Authorize allows them a chance to switch accounts during the login flow. We consciously do that on a couple of our apps. On Sun, Jul 12, 2009 at 10:02 PM, Abraham Williams 4bra...@gmail.comwrote: On Sun, Jul 12, 2009 at 20:54, Scott Carter scarter28m-goo...@yahoo.comwrote: I am using as a reference the Sign in with Twitter documentation at: http://apiwiki.twitter.com/Sign-in-with-Twitter When I issue an authenticate call to: https://twitter.com/oauth/authenticate?oauth_token=request_token The callback I get is: callback_url?oauth_token=request_tokenoauth_verifier=verifier Questions: 1. This callback appears to be identical to the authorize response. Is there an error with the flow chart on the Sign in with Twitter page that indicates an authenticate callback will include the access token and token secret? The flow chart was created before oauth/authenticate was added. I'm sure that Twitter will update it now that it has been pointed out. 2. I understand that the advantage of using the authenticate process is that if a user has already authorized an application, they don't need to do it again. Is there any reason to use the authorize process instead? It seems that apps would benefit from always using the Sign in with Twitter authenticate flow. I don't know why more sites don't use authenticate instead of authorize. I think mostly it is by not knowing about it and random TOS issues. Thanks, - Scott Abraham -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. -- Wynn Netherland twitter: pengwynn
[twitter-dev] Re: Sign in with Twitter - Flow chart error?
On Sun, Jul 12, 2009 at 11:27 PM, Wynn Netherlandwynn.netherl...@gmail.com wrote: If you want to give your users the ability to use multiple twitter accounts with your service, Authorize allows them a chance to switch accounts during the login flow. We consciously do that on a couple of our apps. Bingo. ditto my apps. -chad
[twitter-dev] Re: Sign in with Twitter
Hi all, So it looks like that the token being returned to the callback from oauth/authenticate is now the same request token we sent. Can someone please confirm this? This is the last message I found on the topic. If this is the case, how are we supposed to proceed? Should we exchange the request token for a new access token every time Sign in with Twitter happens? Thanks, Romeo On Apr 17, 9:31 pm, Matt Sanford m...@twitter.com wrote: Hi all, This behavior (i.e. which token is returned) is likely to change soon. Once again, stay tuned for updates. — Matt On Apr 17, 2009, at 01:02 AM, Abraham Williams wrote: The oauth_token returned from oauth/authenticate is the key from the users access tokens. as long as you store the access tokens you can match the returned oauth_token with what is in your database. On Fri, Apr 17, 2009 at 01:35, John Kristian jmkrist...@gmail.com wrote: I'm having trouble using /oauth/authenticate, too. After authenticating, Twitter redirects back to my consumer with a different oauth_token than the one I sent to initiate authentication. Twitter APIs don't accept either token. Sending the original request token to /oauth/access_token elicits HTTP 401 with an XML error Invalid / expired Token. Sending the second callback token elicits HTTP 500 Internal Server Error with an HTML body entitled Twitter / Error. When either token is used as an access token, Twitter responds with 401. The original request token elicits an XML error Invalid / expired Token; the second token elicits Failed to validate oauth signature or token. For signing I used the token secret associated with the original request token. The user has already given permission to this consumer. Help? On Apr 16, 12:25 pm, Dossy Shiobara do...@panoptic.com wrote: I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back? -- Abraham Williams |http://the.hackerconundrum.com Hacker |http://abrah.am|http://twitter.com/abraham Web608 | Community Evangelist |http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter added to EpiTwitter (PHP/OAuth)
Adding this to the wiki. Thanks for sharing! Thanks, Doug -- Doug Williams Twitter Platform Support http://twitter.com/dougw On Fri, May 1, 2009 at 12:54 AM, jmathai jmat...@gmail.com wrote: Did a quick write up on using PHP to sign in to Twitter. Working Example: http://www.jaisenmathai.com/sign_in_with_twitter/ Blog Post: http://www.jaisenmathai.com/blog/2009/04/30/letting-your-users-sign-in-with-twitter-with-oauth/ Code/Documentationhttp://www.jaisenmathai.com/blog/2009/04/30/letting-your-users-sign-in-with-twitter-with-oauth/%0ACode/Documentation: http://wiki.github.com/jmathai/epicode/epitwitter
[twitter-dev] Re: Sign in with Twitter
Was there an announcement that this was going down? I'm seeing This feature is temporarily disabled as well. Jesse On Sun, Apr 19, 2009 at 4:05 AM, Rore rotem.her...@gmail.com wrote: Any idea when authenticate url will work again? On Apr 17, 4:31 pm, Matt Sanford m...@twitter.com wrote: Hi all, This behavior (i.e. which token is returned) is likely to change soon. Once again, stay tuned for updates. — Matt On Apr 17, 2009, at 01:02 AM, Abraham Williams wrote: The oauth_token returned from oauth/authenticate is the key from the users access tokens. as long as you store the access tokens you can match the returned oauth_token with what is in your database. On Fri, Apr 17, 2009 at 01:35, John Kristian jmkrist...@gmail.com wrote: I'm having trouble using /oauth/authenticate, too. After authenticating, Twitter redirects back to my consumer with a different oauth_token than the one I sent to initiate authentication. Twitter APIs don't accept either token. Sending the original request token to /oauth/access_token elicits HTTP 401 with an XML error Invalid / expired Token. Sending the second callback token elicits HTTP 500 Internal Server Error with an HTML body entitled Twitter / Error. When either token is used as an access token, Twitter responds with 401. The original request token elicits an XML error Invalid / expired Token; the second token elicits Failed to validate oauth signature or token. For signing I used the token secret associated with the original request token. The user has already given permission to this consumer. Help? On Apr 16, 12:25 pm, Dossy Shiobara do...@panoptic.com wrote: I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back? -- Abraham Williams |http://the.hackerconundrum.com Hacker |http://abrah.am|http://twitter.com/abraham Web608 | Community Evangelist |http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter
Any idea when authenticate url will work again? On Apr 17, 4:31 pm, Matt Sanford m...@twitter.com wrote: Hi all, This behavior (i.e. which token is returned) is likely to change soon. Once again, stay tuned for updates. — Matt On Apr 17, 2009, at 01:02 AM, Abraham Williams wrote: The oauth_token returned from oauth/authenticate is the key from the users access tokens. as long as you store the access tokens you can match the returned oauth_token with what is in your database. On Fri, Apr 17, 2009 at 01:35, John Kristian jmkrist...@gmail.com wrote: I'm having trouble using /oauth/authenticate, too. After authenticating, Twitter redirects back to my consumer with a different oauth_token than the one I sent to initiate authentication. Twitter APIs don't accept either token. Sending the original request token to /oauth/access_token elicits HTTP 401 with an XML error Invalid / expired Token. Sending the second callback token elicits HTTP 500 Internal Server Error with an HTML body entitled Twitter / Error. When either token is used as an access token, Twitter responds with 401. The original request token elicits an XML error Invalid / expired Token; the second token elicits Failed to validate oauth signature or token. For signing I used the token secret associated with the original request token. The user has already given permission to this consumer. Help? On Apr 16, 12:25 pm, Dossy Shiobara do...@panoptic.com wrote: I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back? -- Abraham Williams |http://the.hackerconundrum.com Hacker |http://abrah.am|http://twitter.com/abraham Web608 | Community Evangelist |http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter
It just dawned on me: it looks like /oauth/authenticate is designed to merely deliver a user's ID and screen_name to a application, not to authorize the application to access Twitter on the user's behalf. Is that so? A suggestion: treat the user ID and screen_name as a resource that's protected by OAuth. Define /oauth/authenticate as the place a user authorizes an application to get the ID and screen_name. So, the flow would go like this: 1. The application GETs a request token from /oauth/request_token. 2. The application redirects the user's browser to /oauth/ authenticate. 3. The user authenticates and/or gives permission, if needed. 4. Twitter redirects the browser to the application callback. 5. The application GETs an access token from /oauth/access_token. 6. The application GETs the user ID and screen name from /account/ verify_credentials or something similar. No sensitive data are passed from Twitter via browser redirects to the application. The application may use HTTPS to secure its requests to twitter.com/oauth. On Apr 16, 11:48 am, Dossy Shiobara do...@panoptic.com wrote: On 4/16/09 2:33 PM, Matt Sanford wrote: The initial token required is a RequestToken rather than an AccessToken. Making the request for the RequestToken requires you know the consumer key/secret and (a) let's us know what application this is for (callback_url alone would not) and (b) prevent the token-shooting method you described. How does this prevent (b)? If I know a third-party application's callback URL, I can currently brute-force a user's oauth_token, assisted by a basic session-fixation attack. The callback URL isn't signed by Twitter. Perhaps oauth/authenticate would require a signed request that doesn't include/require oauth_token. Upon successful process flow, Twitter would send the user back using a signed callback URL that includes the user's oauth_token. Then, all we would need is a method to retrieve the oauth_token_secret for that oauth_token.
[twitter-dev] Re: Sign in with Twitter
I'm having trouble using /oauth/authenticate, too. After authenticating, Twitter redirects back to my consumer with a different oauth_token than the one I sent to initiate authentication. Twitter APIs don't accept either token. Sending the original request token to /oauth/access_token elicits HTTP 401 with an XML error Invalid / expired Token. Sending the second callback token elicits HTTP 500 Internal Server Error with an HTML body entitled Twitter / Error. When either token is used as an access token, Twitter responds with 401. The original request token elicits an XML error Invalid / expired Token; the second token elicits Failed to validate oauth signature or token. For signing I used the token secret associated with the original request token. The user has already given permission to this consumer. Help? On Apr 16, 12:25 pm, Dossy Shiobara do...@panoptic.com wrote: I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back?
[twitter-dev] Re: Sign in with Twitter
The oauth_token returned from oauth/authenticate is the key from the users access tokens. as long as you store the access tokens you can match the returned oauth_token with what is in your database. On Fri, Apr 17, 2009 at 01:35, John Kristian jmkrist...@gmail.com wrote: I'm having trouble using /oauth/authenticate, too. After authenticating, Twitter redirects back to my consumer with a different oauth_token than the one I sent to initiate authentication. Twitter APIs don't accept either token. Sending the original request token to /oauth/access_token elicits HTTP 401 with an XML error Invalid / expired Token. Sending the second callback token elicits HTTP 500 Internal Server Error with an HTML body entitled Twitter / Error. When either token is used as an access token, Twitter responds with 401. The original request token elicits an XML error Invalid / expired Token; the second token elicits Failed to validate oauth signature or token. For signing I used the token secret associated with the original request token. The user has already given permission to this consumer. Help? On Apr 16, 12:25 pm, Dossy Shiobara do...@panoptic.com wrote: I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back? -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter
Zac, this can be solved just be properly modeling user accounts and twitter accounts. It should be one-to-many. Signing in with any of their twitter accounts can sign in that user. Let me know if that doesn't address your problem. Ivan http://tipjoy.com On Apr 16, 1:18 pm, Zac Bowling zbowl...@gmail.com wrote: Hi Doug, There is a use case that sort of sucks when you don't force the user to authenticate each time, and thats when a your application supports multiple twitter accounts. Its nice to shortcut authenticating because it removes a step for the end user, but it sucks when you are trying to associate with multiple accounts. It would be nice if we could pass a flag to force login to show, or pass in an expected username and if its not the same as what twitter has for their session cookie, it invalidates and forces a login or something. Not sure if something like this exists already or anyone has ran into this issue and figured out a work around. Zac Bowling On Thu, Apr 16, 2009 at 9:55 AM, Doug Williams d...@twitter.com wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. Cheers, Doug Williams Twitter API Support http://twitter.com/dougw On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw
[twitter-dev] Re: Sign in with Twitter
Ivan, that doesn't solve the original problem of getting those accounts authenticated. Zac, you should just use the /oauth/authorize link instead. the /oauth/authenticate link is what will do the auto-redirect. -Chad On Thu, Apr 16, 2009 at 1:45 PM, Ivan Kirigin ivan.kiri...@gmail.com wrote: Zac, this can be solved just be properly modeling user accounts and twitter accounts. It should be one-to-many. Signing in with any of their twitter accounts can sign in that user. Let me know if that doesn't address your problem. Ivan http://tipjoy.com On Apr 16, 1:18 pm, Zac Bowling zbowl...@gmail.com wrote: Hi Doug, There is a use case that sort of sucks when you don't force the user to authenticate each time, and thats when a your application supports multiple twitter accounts. Its nice to shortcut authenticating because it removes a step for the end user, but it sucks when you are trying to associate with multiple accounts. It would be nice if we could pass a flag to force login to show, or pass in an expected username and if its not the same as what twitter has for their session cookie, it invalidates and forces a login or something. Not sure if something like this exists already or anyone has ran into this issue and figured out a work around. Zac Bowling On Thu, Apr 16, 2009 at 9:55 AM, Doug Williams d...@twitter.com wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. Cheers, Doug Williams Twitter API Support http://twitter.com/dougw On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw
[twitter-dev] Re: Sign in with Twitter
Sorry, a little confused by your email. :-) It's really not directly related to twitter sign-on directly but with OAuth authentication in general that doesn't force the user to authenticate each time. The problem is with all OAuth providers that shortcut the process of associating and granting user permissions by bypassing the login screen if they are already logged into that site (have a session cookie already or something). When our client or service handles multiple accounts the OAuth provider has for just a single user on our-side. What happens is that when a user on a service or client on our side wants to connect and authenticate with multiple accounts. For each link they create on their account on ourside, we will redirect them back to twitter or OAuth provider to grant us permissions. The problem is that they are automatically logged in using their session on that site, so the permissions they are granting us are for that same user that they probably already set up previously. Does that make sense? Zac Bowling On Thu, Apr 16, 2009 at 10:45 AM, Ivan Kirigin ivan.kiri...@gmail.com wrote: Zac, this can be solved just be properly modeling user accounts and twitter accounts. It should be one-to-many. Signing in with any of their twitter accounts can sign in that user. Let me know if that doesn't address your problem. Ivan http://tipjoy.com On Apr 16, 1:18 pm, Zac Bowling zbowl...@gmail.com wrote: Hi Doug, There is a use case that sort of sucks when you don't force the user to authenticate each time, and thats when a your application supports multiple twitter accounts. Its nice to shortcut authenticating because it removes a step for the end user, but it sucks when you are trying to associate with multiple accounts. It would be nice if we could pass a flag to force login to show, or pass in an expected username and if its not the same as what twitter has for their session cookie, it invalidates and forces a login or something. Not sure if something like this exists already or anyone has ran into this issue and figured out a work around. Zac Bowling On Thu, Apr 16, 2009 at 9:55 AM, Doug Williams d...@twitter.com wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. Cheers, Doug Williams Twitter API Support http://twitter.com/dougw On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw
[twitter-dev] Re: Sign in with Twitter
That is why there are 2 methods: 1) Authorize that always displays prompt on Twitter. 2) Authenticate that shows nothing if already signed in and authorized. Use them based on your needs. Something to keep in mind that OAuth is not designed for identity authentication. It is designed for data authorization. Yes it can and is used as such but it is a little bit of a hack. Abraham On Thu, Apr 16, 2009 at 13:05, Zac Bowling zbowl...@gmail.com wrote: Sorry, a little confused by your email. :-) It's really not directly related to twitter sign-on directly but with OAuth authentication in general that doesn't force the user to authenticate each time. The problem is with all OAuth providers that shortcut the process of associating and granting user permissions by bypassing the login screen if they are already logged into that site (have a session cookie already or something). When our client or service handles multiple accounts the OAuth provider has for just a single user on our-side. What happens is that when a user on a service or client on our side wants to connect and authenticate with multiple accounts. For each link they create on their account on ourside, we will redirect them back to twitter or OAuth provider to grant us permissions. The problem is that they are automatically logged in using their session on that site, so the permissions they are granting us are for that same user that they probably already set up previously. Does that make sense? Zac Bowling On Thu, Apr 16, 2009 at 10:45 AM, Ivan Kirigin ivan.kiri...@gmail.com wrote: Zac, this can be solved just be properly modeling user accounts and twitter accounts. It should be one-to-many. Signing in with any of their twitter accounts can sign in that user. Let me know if that doesn't address your problem. Ivan http://tipjoy.com On Apr 16, 1:18 pm, Zac Bowling zbowl...@gmail.com wrote: Hi Doug, There is a use case that sort of sucks when you don't force the user to authenticate each time, and thats when a your application supports multiple twitter accounts. Its nice to shortcut authenticating because it removes a step for the end user, but it sucks when you are trying to associate with multiple accounts. It would be nice if we could pass a flag to force login to show, or pass in an expected username and if its not the same as what twitter has for their session cookie, it invalidates and forces a login or something. Not sure if something like this exists already or anyone has ran into this issue and figured out a work around. Zac Bowling On Thu, Apr 16, 2009 at 9:55 AM, Doug Williams d...@twitter.com wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. Cheers, Doug Williams Twitter API Support http://twitter.com/dougw On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter
On 4/16/09 12:55 PM, Doug Williams wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. One issue I have is that the oauth/authenticate method expects an oauth_token as part of the request. Until we've authenticated the user, how do we _know_ what the user's oauth_token should be? Are we supposed to request and use a new unauthorized token every time we present the sign in with Twitter button in our third-party application? (You can smell why this idea stinks, right?) Also, the redirect to the callback URL has no signature. What stops an attacker from brute-force attacking an OAuth consumer, iterating through posisble tokens? Simply the large search space of valid OAuth tokens? Even if it's only possible in theory ... some teenager with nothing better to do is going to eventually turn that theory into practice. What would be ideal is a method that we can link a user to that follows the oauth/authenticate 4-step decision tree described on the wiki but requires only a callback URL. When Twitter sends the user back via the callback URL, it should include a valid OAuth access token, Twitter user ID and screen name, and signature. Then, another method like oauth/token where a signed request with the OAuth token can be made that returns the token secret. Possible? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Sign in with Twitter
Hi Dossy, The initial token required is a RequestToken rather than an AccessToken. Making the request for the RequestToken requires you know the consumer key/secret and (a) let's us know what application this is for (callback_url alone would not) and (b) prevent the token-shooting method you described. Thanks; — Matt On Apr 16, 2009, at 11:26 AM, Dossy Shiobara wrote: On 4/16/09 12:55 PM, Doug Williams wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. One issue I have is that the oauth/authenticate method expects an oauth_token as part of the request. Until we've authenticated the user, how do we _know_ what the user's oauth_token should be? Are we supposed to request and use a new unauthorized token every time we present the sign in with Twitter button in our third-party application? (You can smell why this idea stinks, right?) Also, the redirect to the callback URL has no signature. What stops an attacker from brute-force attacking an OAuth consumer, iterating through posisble tokens? Simply the large search space of valid OAuth tokens? Even if it's only possible in theory ... some teenager with nothing better to do is going to eventually turn that theory into practice. What would be ideal is a method that we can link a user to that follows the oauth/authenticate 4-step decision tree described on the wiki but requires only a callback URL. When Twitter sends the user back via the callback URL, it should include a valid OAuth access token, Twitter user ID and screen name, and signature. Then, another method like oauth/token where a signed request with the OAuth token can be made that returns the token secret. Possible? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Sign in with Twitter
On Thu, Apr 16, 2009 at 13:26, Dossy Shiobara do...@panoptic.com wrote: On 4/16/09 12:55 PM, Doug Williams wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. One issue I have is that the oauth/authenticate method expects an oauth_token as part of the request. Until we've authenticated the user, how do we _know_ what the user's oauth_token should be? Are we supposed to request and use a new unauthorized token every time we present the sign in with Twitter button in our third-party application? (You can smell why this idea stinks, right?) Also, the redirect to the callback URL has no signature. What stops an attacker from brute-force attacking an OAuth consumer, iterating through posisble tokens? Simply the large search space of valid OAuth tokens? Even if it's only possible in theory ... some teenager with nothing better to do is going to eventually turn that theory into practice. What would be ideal is a method that we can link a user to that follows the oauth/authenticate 4-step decision tree described on the wiki but requires only a callback URL. When Twitter sends the user back via the callback URL, it should include a valid OAuth access token, Twitter user ID and screen name, and signature. Then, another method like oauth/token where a signed request with the OAuth token can be made that returns the token secret. I'm not quite sure what you mean by this. Oauth/authenticate works pretty much exactly the same as oauth/authorize but uses a different path and may not require any action by the user if they have previously authorized. Possible? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: Sign in with Twitter
On 4/16/09 2:33 PM, Matt Sanford wrote: The initial token required is a RequestToken rather than an AccessToken. Making the request for the RequestToken requires you know the consumer key/secret and (a) let's us know what application this is for (callback_url alone would not) and (b) prevent the token-shooting method you described. How does this prevent (b)? If I know a third-party application's callback URL, I can currently brute-force a user's oauth_token, assisted by a basic session-fixation attack. The callback URL isn't signed by Twitter. Perhaps oauth/authenticate would require a signed request that doesn't include/require oauth_token. Upon successful process flow, Twitter would send the user back using a signed callback URL that includes the user's oauth_token. Then, all we would need is a method to retrieve the oauth_token_secret for that oauth_token. This would enable third-party applications to completely use Twitter for its authentication, in lieu of OpenID. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Sign in with Twitter
Awesome this will definitely improve the process. In particular the users will only have to face the question of Deny or Allow access only once. The only problem I foresee is if multiple users use the same computer. This way if USERA is already signed in to Twitter and USERB attempts to log into my site, USERB might not pay too much attention and end up using USERA's account. Ofcourse I can solve this by making it so obvious on my site who is signed in. But then USERB would have to go back to Twitter sign out USERA , then sign in to Twitter, go back to my site and click the log in button on my site. The ideal solution for me is when a user tries to sign in through my app, they should be directed to a new authorization URL that asks the question: continue to sign in as USERA or sign in with a different account? They click continue and are sent to the call back URL. I know that this defeats the purpose of one-click log in. But it helps in solving the problem of someone inadvertently using someone else's account Plus asking someone to continue or sign in with a different useris a much softer question then Deny or Allow access? which sounds like a much more critical question. I still like the change and will begin using it, however if there was the option of what I describe above, then I would use that. Also thanks for making it so simple to adopt the new flow! On Apr 16, 10:45 am, Ivan Kirigin ivan.kiri...@gmail.com wrote: Zac, this can be solved just be properly modeling user accounts and twitter accounts. It should be one-to-many. Signing in with any of their twitter accounts can sign in that user. Let me know if that doesn't address your problem. Ivanhttp://tipjoy.com On Apr 16, 1:18 pm, Zac Bowling zbowl...@gmail.com wrote: Hi Doug, There is a use case that sort of sucks when you don't force the user to authenticate each time, and thats when a your application supports multiple twitter accounts. Its nice to shortcut authenticating because it removes a step for the end user, but it sucks when you are trying to associate with multiple accounts. It would be nice if we could pass a flag to force login to show, or pass in an expected username and if its not the same as what twitter has for their session cookie, it invalidates and forces a login or something. Not sure if something like this exists already or anyone has ran into this issue and figured out a work around. Zac Bowling On Thu, Apr 16, 2009 at 9:55 AM, Doug Williams d...@twitter.com wrote: Related: More OAuth documentation is to come throughout the day so some of the links will be broken. It's a glaring omission in the documentation. Let's use this thread to fill the holes people find while implementing Sign in with Twitter for the time being. Cheers, Doug Williams Twitter API Support http://twitter.com/dougw On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw
[twitter-dev] Re: Sign in with Twitter
On 4/16/09 2:33 PM, Matt Sanford wrote: The initial token required is a RequestToken rather than an AccessToken. Making the request for the RequestToken requires you know the consumer key/secret and (a) let's us know what application this is for (callback_url alone would not) and (b) prevent the token-shooting method you described. I just tried out the oauth/authenticate - I supplied a RequestToken and it redirected back to my callback URL with an AccessToken ... but, what's the token secret for this AccessToken? I only know the secret for the RequestToken I sent it ... Is the token secret the same for the AccessToken I get back? I'm going to assume so, although the OAuth spec. suggests that when obtaining an AccessToken, both the oauth_token and oauth_token_secret are returned, and I imagine it's desirable to have a different secret for this different token, although obviously there's nothing that prohibits reusing the same secret. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
[twitter-dev] Re: Sign in with Twitter
On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Hi Doug, Signing into websites using your Twitter account is an awesome idea, Twitter accounts would make fantastic portable identities that can be used to sign into 3rd party sites. Most sites using using Facebook Connect or OpenID really just want your profile, follower graph, and the ability to receive viral referral traffic by writing to your activity stream. OAuth is great for 3rd party applications that are built on top of Twitter, however, I'm not sure if it's appropriate to use OAuth token for Signing In to a website, because it allows that site to spam your followers by tweeting on your behalf. Using OpenID is safer for Sign- in, because OpenID would allow Twitter users to verify their Twitter identity, and share their Twitter Profile and Follower Graph (by scraping the microformats on the Twitter Profile Page), without having to authorize access to their Twitter account. If Twitter users sign in with OpenID, 3rd party sites could still generate viral referral traffic by giving users a UI to preview and approve the tweet, by opening a modal dialog or popup that reuses the user's twitter browser session to tweet. Allen
[twitter-dev] Re: Sign in with Twitter
Hello again, We've discussed OpenID but adding it is not something we can do in the near-term. With OAuth just out the door we felt like this was a better user experience than have to continually re-display the Accept/ Deny dialog. I'm looking into a few issues raised in this thread that may change how the API works slightly. Let me repeat that on a line all it's own so people see it: WERP WERP WERP. Change alert! Danger! Danger, Will Robinson. I am reviewing this discussion and based on the security/ usability feedback I may need to change how this new method works. In the case of security it may be a change that breaks the current behavior and may be done with very little notice. I encourage people to try out the new system but keep it beta until I can confirm we're not going to have to alter it significantly. Thanks; — Matt On Apr 16, 2009, at 12:51 PM, Allen Tom wrote: On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Hi Doug, Signing into websites using your Twitter account is an awesome idea, Twitter accounts would make fantastic portable identities that can be used to sign into 3rd party sites. Most sites using using Facebook Connect or OpenID really just want your profile, follower graph, and the ability to receive viral referral traffic by writing to your activity stream. OAuth is great for 3rd party applications that are built on top of Twitter, however, I'm not sure if it's appropriate to use OAuth token for Signing In to a website, because it allows that site to spam your followers by tweeting on your behalf. Using OpenID is safer for Sign- in, because OpenID would allow Twitter users to verify their Twitter identity, and share their Twitter Profile and Follower Graph (by scraping the microformats on the Twitter Profile Page), without having to authorize access to their Twitter account. If Twitter users sign in with OpenID, 3rd party sites could still generate viral referral traffic by giving users a UI to preview and approve the tweet, by opening a modal dialog or popup that reuses the user's twitter browser session to tweet. Allen
[twitter-dev] Re: Sign in with Twitter
Allen, OAuth is the third-party authorization protocol that we have decided to embrace. You can search the group's archives [1] for past discussion on OpenID and the Twitter API. 1. http://groups.google.com/group/twitter-development-talk/search?group=twitter-development-talkq=openidqt_g=Search+this+group Doug Williams Twitter API Support http://twitter.com/dougw On Thu, Apr 16, 2009 at 12:51 PM, Allen Tom a...@yahoo-inc.com wrote: On Apr 16, 9:52 am, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Hi Doug, Signing into websites using your Twitter account is an awesome idea, Twitter accounts would make fantastic portable identities that can be used to sign into 3rd party sites. Most sites using using Facebook Connect or OpenID really just want your profile, follower graph, and the ability to receive viral referral traffic by writing to your activity stream. OAuth is great for 3rd party applications that are built on top of Twitter, however, I'm not sure if it's appropriate to use OAuth token for Signing In to a website, because it allows that site to spam your followers by tweeting on your behalf. Using OpenID is safer for Sign- in, because OpenID would allow Twitter users to verify their Twitter identity, and share their Twitter Profile and Follower Graph (by scraping the microformats on the Twitter Profile Page), without having to authorize access to their Twitter account. If Twitter users sign in with OpenID, 3rd party sites could still generate viral referral traffic by giving users a UI to preview and approve the tweet, by opening a modal dialog or popup that reuses the user's twitter browser session to tweet. Allen
[twitter-dev] Re: Sign in with Twitter
An idea is to have the oauth/authorize page display login/don't login instead of accept/deny if the user has already approved the application. On Thu, Apr 16, 2009 at 16:29, djMax djm...@gmail.com wrote: Did this stop working? All of the sudden I'm getting 500 server errors back. Was working ok 15 minutes ago. On Apr 16, 12:52 pm, Doug Williams d...@twitter.com wrote: Matt has deployed our answer for one click login. It requires only a small change to the normal Twitter OAuth workflow and is documented here: http://apiwiki.twitter.com/Sign-in-with-Twitter This is the perfect tool for web applications wanting to offer users the ability to sign in with a Twitter account and a single mouse click. We want to see it in the wild so please let us know if you roll this out in your application. Thanks, Doug Williams Twitter API Supporthttp://twitter.com/dougw -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private.