[twitter-dev] Re: Twitter logout - hate to open this can of worms again
Thank for the replies everyone. It's unfortunate there's no good solution to this. Since we only do this the first time a user authorizes the widget as some of you have mentioned, it mitigates the issue somewhat. We'll probably try to notify the user to log out from the twitter site manually. Cheers, Matei -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
On Fri, Sep 3, 2010 at 11:29, Ken k...@cimas.ch wrote: What is the risk of storing a token? It can't be used outside your app. Much less risk that having users register with your app with a password. This is for sites that manage users. There's no need for a registration flow, at least one that is apparent to the user. For new users, send them to Twitter for a one-time Oauth roundtrip. Upon receipt of the token, create a user in your system, assign them a password and use it to log them in. Provide them this password, and/or let them change it. That's pretty pain-free account creation. Having users set up a password is a registration flow. You then also have to set up a mechanism for when they forget their password, keep the password safe, etc. Better then most sign up processes but it is still yet another password. If you need to associate an existing logged-in user with their Twitter account, send them to twitter for Oauth once. When they return they'll still be logged in and you'll have the credentials for future use. Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
On Fri, Sep 3, 2010 at 11:43, Bernd Stramm bernd.str...@gmail.com wrote: On Fri, 3 Sep 2010 11:29:22 -0700 (PDT) Ken k...@cimas.ch wrote: What is the risk of storing a token? It can't be used outside your app. The token being confined to use within an app is very insecure when the app runs on an end-user device. There soon will be a billion smart phones, and many of those will run twitter apps. Humans are very insecure. Most will tell you all of their passwords with the right/wrong type of influences. Then suppose user Alice finds out user Bob's token (perhaps by borrowing or stealing a phone), and publishes it. User Bob now has no way to retire the token, short of disabling the app that runs on millions of phones. Or Bob can get a new twitter user name. This is incorrect. Bob can go to Twitter and revoke the token so it won't work anymore. That's not what is normally called security. OAuth as currently done with twitter only works when the app runs on a small number of secure servers. -- Bernd Stramm bernd.str...@gmail.com Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Twitter logout - hate to open this can of worms again
I thought I had found a solution, albeit a horrendously ugly one: redirect them to http://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. On Sep 3, 7:23 am, Abraham Williams 4bra...@gmail.com wrote: There is no pragmatic way to sign a user out of twitter.com through the API. When a user logs out of your site send them to to twitter.com so they can sign out there or to a page explaining they should sign out of twitter.com Abraham - Abraham Williams | Hacker Advocate |http://abrah.am @abraham |http://projects.abrah.am|http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Thu, Sep 2, 2010 at 10:43, Matei mad.doroba...@gmail.com wrote: bump? On Sep 1, 10:45 am, Matei mad.doroba...@gmail.com wrote: Hi everyone, I am compelled to ask because the search turned out a few post that were somewhat vague and didn't answer all my questions. I have a website widget that interacts heavily with Twitter. We use OAuth to authenticate our requests. To logout the users from our side we destroy the OAuth token. However during the initial OAuth workflow Twitter places a cookie on the browser, so if the user logs out from our site but navigates to the Twitter site they are still logged in. Closing the browser solves this, as it appears the cookie is a session cookie. Calling the account/end_session.json end point does nothing for use because the call is server side so the cookie doesn't get replaced. I am a little concerned about this behavior since the widget will be on a public site users can access from public computers. It is possible the users will log out of our widget but not close the browser window. At that point someone could navigate to twitter and still be logged in with their account. So finally my questions are: 1. Is how do I reliably log users out of Twitter? 2. Is it really necessary for Twitter to send this cookie during the OAuth workflow? The API is stateless so the cookie is really un- necessary as far as using the apis is concerned. Sorry for the lengthy post, responses are greatly appreciated! Cheers, Matei -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
On Fri, 3 Sep 2010 01:27:34 -0700 (PDT) Ken k...@cimas.ch wrote: I thought I had found a solution, albeit a horrendously ugly one: redirect them to http://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. Indeed. If you already have the token, why would you make them log in? If you get a new token every time they visit your 3rd party (consumer) site, you generate a lot of authorized tokens, ALL of which are valid for the rest of eternity, or until twitter decides that it should be possible to invalidate tokens. Bernd -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
You may not have noticed, but with Twitter, if you request a token while you already have one, you'll simply get back the one you already have. Tom On 9/3/10 6:47 PM, Bernd Stramm wrote: On Fri, 3 Sep 2010 01:27:34 -0700 (PDT) Ken k...@cimas.ch wrote: I thought I had found a solution, albeit a horrendously ugly one: redirect them to http://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. Indeed. If you already have the token, why would you make them log in? If you get a new token every time they visit your 3rd party (consumer) site, you generate a lot of authorized tokens, ALL of which are valid for the rest of eternity, or until twitter decides that it should be possible to invalidate tokens. Bernd -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
If i don't want to manage an authentication system, risk storing passwords, make users go through the paint of yet another registration flow then I might consider just using Sign in with Twitter every time someone sign into my site. Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Fri, Sep 3, 2010 at 09:47, Bernd Stramm bernd.str...@gmail.com wrote: On Fri, 3 Sep 2010 01:27:34 -0700 (PDT) Ken k...@cimas.ch wrote: I thought I had found a solution, albeit a horrendously ugly one: redirect them to http://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. Indeed. If you already have the token, why would you make them log in? If you get a new token every time they visit your 3rd party (consumer) site, you generate a lot of authorized tokens, ALL of which are valid for the rest of eternity, or until twitter decides that it should be possible to invalidate tokens. Bernd -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
On Fri, 03 Sep 2010 18:55:30 +0200 Tom van der Woerdt i...@tvdw.eu wrote: You may not have noticed, but with Twitter, if you request a token while you already have one, you'll simply get back the one you already have. I don't know if that is correct. The ones I looked at were all different, but that was some weeks ago. Tom On 9/3/10 6:47 PM, Bernd Stramm wrote: On Fri, 3 Sep 2010 01:27:34 -0700 (PDT) Ken k...@cimas.ch wrote: I thought I had found a solution, albeit a horrendously ugly one: redirect them to http://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. Indeed. If you already have the token, why would you make them log in? If you get a new token every time they visit your 3rd party (consumer) site, you generate a lot of authorized tokens, ALL of which are valid for the rest of eternity, or until twitter decides that it should be possible to invalidate tokens. Bernd -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Twitter logout - hate to open this can of worms again
What is the risk of storing a token? It can't be used outside your app. This is for sites that manage users. There's no need for a registration flow, at least one that is apparent to the user. For new users, send them to Twitter for a one-time Oauth roundtrip. Upon receipt of the token, create a user in your system, assign them a password and use it to log them in. Provide them this password, and/or let them change it. That's pretty pain-free account creation. If you need to associate an existing logged-in user with their Twitter account, send them to twitter for Oauth once. When they return they'll still be logged in and you'll have the credentials for future use. On Sep 3, 6:57 pm, Abraham Williams 4bra...@gmail.com wrote: If i don't want to manage an authentication system, risk storing passwords, make users go through the paint of yet another registration flow then I might consider just using Sign in with Twitter every time someone sign into my site. Abraham - Abraham Williams | Hacker Advocate |http://abrah.am @abraham |http://projects.abrah.am|http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Fri, Sep 3, 2010 at 09:47, Bernd Stramm bernd.str...@gmail.com wrote: On Fri, 3 Sep 2010 01:27:34 -0700 (PDT) Ken k...@cimas.ch wrote: I thought I had found a solution, albeit a horrendously ugly one: redirect them tohttp://twitter.com/logout, but even that doesn't work. If you are looking for reliable, don't log them in with OAuth - except once, the first time, when you store their token. Indeed. If you already have the token, why would you make them log in? If you get a new token every time they visit your 3rd party (consumer) site, you generate a lot of authorized tokens, ALL of which are valid for the rest of eternity, or until twitter decides that it should be possible to invalidate tokens. Bernd -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
On Fri, 3 Sep 2010 11:29:22 -0700 (PDT) Ken k...@cimas.ch wrote: What is the risk of storing a token? It can't be used outside your app. The token being confined to use within an app is very insecure when the app runs on an end-user device. There soon will be a billion smart phones, and many of those will run twitter apps. Then suppose user Alice finds out user Bob's token (perhaps by borrowing or stealing a phone), and publishes it. User Bob now has no way to retire the token, short of disabling the app that runs on millions of phones. Or Bob can get a new twitter user name. That's not what is normally called security. OAuth as currently done with twitter only works when the app runs on a small number of secure servers. -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Twitter logout - hate to open this can of worms again
Bernd, totally. In answer to the OP, I was referring to the traditional server-based app. These may one day constitute a numeric minority of apps, but will probably remain an important use case for some time to come. Really, all bets are off when you talk about stealing of the device. When there is a risk of theft, a device (phone, car etc) needs to be disabled, turned off etc. Publishing Bob's token, credit card details or other compromising information by that criminal Alice would be bad for Bob, I'll grant you that. On Sep 3, 8:43 pm, Bernd Stramm bernd.str...@gmail.com wrote: On Fri, 3 Sep 2010 11:29:22 -0700 (PDT) Ken k...@cimas.ch wrote: What is the risk of storing a token? It can't be used outside your app. The token being confined to use within an app is very insecure when the app runs on an end-user device. There soon will be a billion smart phones, and many of those will run twitter apps. Then suppose user Alice finds out user Bob's token (perhaps by borrowing or stealing a phone), and publishes it. User Bob now has no way to retire the token, short of disabling the app that runs on millions of phones. Or Bob can get a new twitter user name. That's not what is normally called security. OAuth as currently done with twitter only works when the app runs on a small number of secure servers. -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Re: Twitter logout - hate to open this can of worms again
bump? On Sep 1, 10:45 am, Matei mad.doroba...@gmail.com wrote: Hi everyone, I am compelled to ask because the search turned out a few post that were somewhat vague and didn't answer all my questions. I have a website widget that interacts heavily with Twitter. We use OAuth to authenticate our requests. To logout the users from our side we destroy the OAuth token. However during the initial OAuth workflow Twitter places a cookie on the browser, so if the user logs out from our site but navigates to the Twitter site they are still logged in. Closing the browser solves this, as it appears the cookie is a session cookie. Calling the account/end_session.json end point does nothing for use because the call is server side so the cookie doesn't get replaced. I am a little concerned about this behavior since the widget will be on a public site users can access from public computers. It is possible the users will log out of our widget but not close the browser window. At that point someone could navigate to twitter and still be logged in with their account. So finally my questions are: 1. Is how do I reliably log users out of Twitter? 2. Is it really necessary for Twitter to send this cookie during the OAuth workflow? The API is stateless so the cookie is really un- necessary as far as using the apis is concerned. Sorry for the lengthy post, responses are greatly appreciated! Cheers, Matei -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Re: Twitter logout - hate to open this can of worms again
There is no pragmatic way to sign a user out of twitter.com through the API. When a user logs out of your site send them to to twitter.com so they can sign out there or to a page explaining they should sign out of twitter.com Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Thu, Sep 2, 2010 at 10:43, Matei mad.doroba...@gmail.com wrote: bump? On Sep 1, 10:45 am, Matei mad.doroba...@gmail.com wrote: Hi everyone, I am compelled to ask because the search turned out a few post that were somewhat vague and didn't answer all my questions. I have a website widget that interacts heavily with Twitter. We use OAuth to authenticate our requests. To logout the users from our side we destroy the OAuth token. However during the initial OAuth workflow Twitter places a cookie on the browser, so if the user logs out from our site but navigates to the Twitter site they are still logged in. Closing the browser solves this, as it appears the cookie is a session cookie. Calling the account/end_session.json end point does nothing for use because the call is server side so the cookie doesn't get replaced. I am a little concerned about this behavior since the widget will be on a public site users can access from public computers. It is possible the users will log out of our widget but not close the browser window. At that point someone could navigate to twitter and still be logged in with their account. So finally my questions are: 1. Is how do I reliably log users out of Twitter? 2. Is it really necessary for Twitter to send this cookie during the OAuth workflow? The API is stateless so the cookie is really un- necessary as far as using the apis is concerned. Sorry for the lengthy post, responses are greatly appreciated! Cheers, Matei -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en