Re: [twitter-dev] OAuth Revoke Token?
additionally, in oauth 2.0 we will have the ability to set expiration dates for tokens, so after a certain time periods, tokens could just automatically expire. i rather not have an actual API that would expire a token as that seems like an interesting attack vector. On Mon, Apr 12, 2010 at 12:53 PM, Abraham Williams <4bra...@gmail.com>wrote: > This seems like too much of an edge case for Twitter to spend resources on. > You can always include &force_login=true to always prompt the user > for credentials. > > Abraham > > On Thu, Apr 8, 2010 at 12:23, Mike Repass wrote: > >> A scenario for justifying invalidateToken: >> >>- User visits AwesomeApp and wants to connect his Twitter account >>- AwesomeApp redirects to Twitter's OAuth flow >>- User fails to notice that someone else, UserX, is already logged in >>to Twitter in the current browser and clicks through >>- AwesomeApp detects (somehow, perhaps later) that the wrong Twitter >>user is connected. They can be a good citizen and revoke the token >>completely, then send the user back through a full OAuth flow that asks >> for >>username/password regardless of sign-in state. >> >> Just my $0.02, >> >> Mike >> >> On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein wrote: >> >>> There is no API endpoint that I know of and don't think one should exist. >>> Users should not trust >>> thirdparties to self-revoke access to their accounts. Users should know >>> how to do it from twitter.com >>> via the connections page. It might be nice if we could generate a >>> redirect link to a page on twitter.com >>> where the user can then revoke the access (sort of like the authorization >>> page). >>> >>> Josh >>> >>> >>> On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos wrote: >>> Is there anyway to send a request to revoke a token completely without requiring the user goto their connections page on twitter? We allow our users to revoke access via our application, but that only revokes it on our side. The application would still show up on their twitter.com connections page. Google has one by sending a request to: https://www.google.com/accounts/accounts/AuthSubRevokeToken -- To unsubscribe, reply using "remove me" as the subject. >>> >>> >> > > > -- > Abraham Williams | Developer for hire | http://abrah.am > PoseurTech Labs | Projects | http://labs.poseurtech.com > This email is: [ ] shareable [x] ask first [ ] private. > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] OAuth Revoke Token?
This seems like too much of an edge case for Twitter to spend resources on. You can always include &force_login=true to always prompt the user for credentials. Abraham On Thu, Apr 8, 2010 at 12:23, Mike Repass wrote: > A scenario for justifying invalidateToken: > >- User visits AwesomeApp and wants to connect his Twitter account >- AwesomeApp redirects to Twitter's OAuth flow >- User fails to notice that someone else, UserX, is already logged in >to Twitter in the current browser and clicks through >- AwesomeApp detects (somehow, perhaps later) that the wrong Twitter >user is connected. They can be a good citizen and revoke the token >completely, then send the user back through a full OAuth flow that asks for >username/password regardless of sign-in state. > > Just my $0.02, > > Mike > > On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein wrote: > >> There is no API endpoint that I know of and don't think one should exist. >> Users should not trust >> thirdparties to self-revoke access to their accounts. Users should know >> how to do it from twitter.com >> via the connections page. It might be nice if we could generate a redirect >> link to a page on twitter.com >> where the user can then revoke the access (sort of like the authorization >> page). >> >> Josh >> >> >> On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos wrote: >> >>> Is there anyway to send a request to revoke a token completely without >>> requiring the user goto their connections page on twitter? >>> >>> >>> We allow our users to revoke access via our application, but that only >>> revokes it on our side. The application would still show up on their >>> twitter.com connections page. >>> >>> Google has one by sending a request to: >>> https://www.google.com/accounts/accounts/AuthSubRevokeToken >>> >>> >>> -- >>> To unsubscribe, reply using "remove me" as the subject. >>> >> >> > -- Abraham Williams | Developer for hire | http://abrah.am PoseurTech Labs | Projects | http://labs.poseurtech.com This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] OAuth Revoke Token?
This seems like to much of an edge case for Twitter to spend resources on. Abraham On Thu, Apr 8, 2010 at 12:23, Mike Repass wrote: > A scenario for justifying invalidateToken: > >- User visits AwesomeApp and wants to connect his Twitter account >- AwesomeApp redirects to Twitter's OAuth flow >- User fails to notice that someone else, UserX, is already logged in >to Twitter in the current browser and clicks through >- AwesomeApp detects (somehow, perhaps later) that the wrong Twitter >user is connected. They can be a good citizen and revoke the token >completely, then send the user back through a full OAuth flow that asks for >username/password regardless of sign-in state. > > Just my $0.02, > > Mike > > On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein wrote: > >> There is no API endpoint that I know of and don't think one should exist. >> Users should not trust >> thirdparties to self-revoke access to their accounts. Users should know >> how to do it from twitter.com >> via the connections page. It might be nice if we could generate a redirect >> link to a page on twitter.com >> where the user can then revoke the access (sort of like the authorization >> page). >> >> Josh >> >> >> On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos wrote: >> >>> Is there anyway to send a request to revoke a token completely without >>> requiring the user goto their connections page on twitter? >>> >>> >>> We allow our users to revoke access via our application, but that only >>> revokes it on our side. The application would still show up on their >>> twitter.com connections page. >>> >>> Google has one by sending a request to: >>> https://www.google.com/accounts/accounts/AuthSubRevokeToken >>> >>> >>> -- >>> To unsubscribe, reply using "remove me" as the subject. >>> >> >> > -- Abraham Williams | Developer for hire | http://abrah.am PoseurTech Labs | Projects | http://labs.poseurtech.com This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] OAuth Revoke Token?
A scenario for justifying invalidateToken: - User visits AwesomeApp and wants to connect his Twitter account - AwesomeApp redirects to Twitter's OAuth flow - User fails to notice that someone else, UserX, is already logged in to Twitter in the current browser and clicks through - AwesomeApp detects (somehow, perhaps later) that the wrong Twitter user is connected. They can be a good citizen and revoke the token completely, then send the user back through a full OAuth flow that asks for username/password regardless of sign-in state. Just my $0.02, Mike On Thu, Apr 8, 2010 at 12:06 PM, Josh Roesslein wrote: > There is no API endpoint that I know of and don't think one should exist. > Users should not trust > thirdparties to self-revoke access to their accounts. Users should know how > to do it from twitter.com > via the connections page. It might be nice if we could generate a redirect > link to a page on twitter.com > where the user can then revoke the access (sort of like the authorization > page). > > Josh > > > On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos wrote: > >> Is there anyway to send a request to revoke a token completely without >> requiring the user goto their connections page on twitter? >> >> >> We allow our users to revoke access via our application, but that only >> revokes it on our side. The application would still show up on their >> twitter.com connections page. >> >> Google has one by sending a request to: >> https://www.google.com/accounts/accounts/AuthSubRevokeToken >> >> >> -- >> To unsubscribe, reply using "remove me" as the subject. >> > >
Re: [twitter-dev] OAuth Revoke Token?
There is no API endpoint that I know of and don't think one should exist. Users should not trust thirdparties to self-revoke access to their accounts. Users should know how to do it from twitter.com via the connections page. It might be nice if we could generate a redirect link to a page on twitter.com where the user can then revoke the access (sort of like the authorization page). Josh On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos wrote: > Is there anyway to send a request to revoke a token completely without > requiring the user goto their connections page on twitter? > > > We allow our users to revoke access via our application, but that only > revokes it on our side. The application would still show up on their > twitter.com connections page. > > Google has one by sending a request to: > https://www.google.com/accounts/accounts/AuthSubRevokeToken > > > -- > To unsubscribe, reply using "remove me" as the subject. >
