Does authenticate actually "authorize" the app to perform operations
on behalf of the user? My understanding is the user must first
"authorize" the app and then the app can send them through
"authenticate" in the future as a login check. If the user never
approves the app in an "authorize" operation, I don't think the app
has the right to perform and twitter operations on behalf of the user.

On Dec 29, 1:44 pm, Andy Freeman <ana...@earthlink.net> wrote:
> > Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> > args} this stuff is working very well for me;) Thank you for your
> > hint.
>
> While that "works", I think that it shouldn't.
>
> (1) I don't think that it's a legal url because it has two '?'s.
> (2) force_login=true isn't part of the signed arguments so it should
> be rejected.  (The whole point of signing is to block man-in-the-
> middle attacks that alter arguments.)
>
> I haven't tried including force_login=true in the signed arguments.
> Are you saying that it doesn't work?  If so, I'd say that that's a
> bug, as is the above.
>
> Thanks,
> -andy
>
> On Dec 28, 9:41 pm, el moro <axel.sachm...@googlemail.com> wrote:
>
> > Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> > args} this stuff is working very well for me;) Thank you for your
> > hint.
>
> > Axel
>
> > On 29 Dez., 03:21, Andy Freeman <ana...@earthlink.net> wrote:
>
> > > > The difference (to my understanding) is that Authenticate does not
> > > > authorize the app.
>
> > > Huh?
>
> > > Whether I use authorize or authenticate, my app can tweet etc on the
> > > user's behalf.
>
> > > What, exactly, do you think that authenticate and authorize do?  I
> > > think that both can give my application a token that I can use to take
> > > actions on the user's behalf.  I think that both do some sort of login
> > > or check before doing so.
>
> > > The difference that I see is in how twitter presents its questions
> > > regarding the account that is allowing my application to do its thing.
>
> > > That, and the bit that authenticate leaves folks logged in to twitter.
>
> > > On Dec 28, 5:27 pm, Justyn <justyn.how...@gmail.com> wrote:
>
> > > > The difference (to my understanding) is that Authenticate does not
> > > > authorize the app. We need to have the app authorized but want to give
> > > > the user the chance to choose which account to login with (and
> > > > Authorize).
>
> > > > Ideally, twitter state would not be effected, and user could authorize
> > > > an app with desired account (regardless of session) without clicking
> > > > "sign out".
>
> > > > Justyn
>
> > > > On Dec 28, 5:36 pm, Abraham Williams <4bra...@gmail.com> wrote:
>
> > > > > That is true. Authenticate currently leaves the user logged in.
>
> > > > > I would prefer that get fixed rather then adding force_login to 
> > > > > authorize as
> > > > > I view leaving users logged in as a security risk. Apparently Twitter 
> > > > > does
> > > > > not:
>
> > > > >http://code.google.com/p/twitter-api/issues/detail?id=1070
>
> > > > > On Mon, Dec 28, 2009 at 17:13, Andy Freeman <ana...@earthlink.net> 
> > > > > wrote:
> > > > > > > Then use authenticate. It accomplishes the same effect of 
> > > > > > > authorize.
>
> > > > > > Does it?  My notes say that authenticate leaves the user logged into
> > > > > > twitter if they weren't before and that authorize doesn't.
>
> > > > > > For my purposes, I'd like to force the user to specify their twitter
> > > > > > account and password even if they're already logged in and not 
> > > > > > change
> > > > > > their login state (as far as twitter is concerned) at all.
>
> > > > > > I can imagine folks who'd like to allow users to quickly authorize 
> > > > > > the
> > > > > > use of the logged in account (if any)
>
> > > > > > I can't imagine anyone who'd want to change the user's logged in
> > > > > > state.
>
> > > > > > On Dec 27, 6:08 pm, Abraham Williams <4bra...@gmail.com> wrote:
> > > > > > > Then use authenticate. It accomplishes the same effect of 
> > > > > > > authorize.
>
> > > > > > > On Sun, Dec 27, 2009 at 17:42, Justyn <justyn.how...@gmail.com> 
> > > > > > > wrote:
> > > > > > > > Thanks Abraham - I understand this is the current limitation, 
> > > > > > > > however
> > > > > > > > I think there is a need for the foce_login to be available with 
> > > > > > > > the
> > > > > > > > authorize function. The authorize landing page is confusing to 
> > > > > > > > users
> > > > > > > > who want to sign-in with an account that is different from their
> > > > > > > > latest session. The "sign-out" option is not obvious to users. 
> > > > > > > > This is
> > > > > > > > based on user feedback, and I don't think we're the only ones 
> > > > > > > > having
> > > > > > > > this issue.
>
> > > > > > > > On Dec 27, 3:39 pm, Abraham Williams <4bra...@gmail.com> wrote:
> > > > > > > > > force_login=true only works onhttps://
> > > > > > twitter.com/oauth/authenticatenot
> > > > > > > > > onhttps://twitter.com/oauth/authorize.
>
> > > > > > > > > On Sat, Dec 26, 2009 at 23:23, el moro 
> > > > > > > > > <axel.sachm...@googlemail.com
>
> > > > > > > > wrote:
> > > > > > > > > > Hi, i'd like to use force_login too in my new Rails 
> > > > > > > > > > application.
> > > > > > This
> > > > > > > > > > parameter seems to be buggy. For me it' s not working too.
>
> > > > > > > > > > On 24 Dez., 05:18, Justyn <justyn.how...@gmail.com> wrote:
> > > > > > > > > > > Hi guys - just wanted to make sure this stayed on the 
> > > > > > > > > > > radar. I
> > > > > > > > imagine
> > > > > > > > > > > others would like to use force_login for the Authorize 
> > > > > > > > > > > function?
>
> > > > > > > > > > > On Dec 22, 4:46 pm, Justyn <justyn.how...@gmail.com> 
> > > > > > > > > > > wrote:
>
> > > > > > > > > > > > We've found it necessary to use the force_login method 
> > > > > > > > > > > > for
> > > > > > > > Authorize
> > > > > > > > > > > > because of the confusion many users have with the 
> > > > > > > > > > > > splash page
> > > > > > shown
> > > > > > > > on
> > > > > > > > > > > > Authorize (many times they want to authorize a different
> > > > > > account
> > > > > > > > than
> > > > > > > > > > > > their latest session), however Authorize does not 
> > > > > > > > > > > > support
> > > > > > > > force_login.
>
> > > > > > > > > > > > Is there a way around this, or can we get a version of
> > > > > > authorize
> > > > > > > > that
> > > > > > > > > > > > bypasses the "sign-out" link to get the full credential 
> > > > > > > > > > > > input
> > > > > > for
> > > > > > > > our
> > > > > > > > > > > > users?
>
> > > > > > > > > > > > Many users have trouble with this.
>
> > > > > > > > > > > > Thanks in advance!
>
> > > > > > > > > > > > Justyn
>
> > > > > > > > > --
> > > > > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > > > > Sent from Madison, WI, United States
>
> > > > > > > --
> > > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > > Sent from Madison, WI, United States- Hide quoted text -
>
> > > > > > > - Show quoted text -
>
> > > > > --
> > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > Sent from Madison, WI, United States- Hide quoted text -
>
> > > > - Show quoted text -- Hide quoted text -
>
> > - Show quoted text -

Reply via email to