@andy: oauth/authenticate is not signed other then with SSL. You are just
passing the request token to Twitter.

@aaron: authenticate and authorize both result in access tokens that allow
you to act on behalf of the user. The first time a user goes through
authenticate they authorize the application.


On Tue, Dec 29, 2009 at 14:16, Aaron Rankin <aran...@gmail.com> wrote:

> Does authenticate actually "authorize" the app to perform operations
> on behalf of the user? My understanding is the user must first
> "authorize" the app and then the app can send them through
> "authenticate" in the future as a login check. If the user never
> approves the app in an "authorize" operation, I don't think the app
> has the right to perform and twitter operations on behalf of the user.
>
> On Dec 29, 1:44 pm, Andy Freeman <ana...@earthlink.net> wrote:
> > > Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> > > args} this stuff is working very well for me;) Thank you for your
> > > hint.
> >
> > While that "works", I think that it shouldn't.
> >
> > (1) I don't think that it's a legal url because it has two '?'s.
> > (2) force_login=true isn't part of the signed arguments so it should
> > be rejected.  (The whole point of signing is to block man-in-the-
> > middle attacks that alter arguments.)
> >
> > I haven't tried including force_login=true in the signed arguments.
> > Are you saying that it doesn't work?  If so, I'd say that that's a
> > bug, as is the above.
> >
> > Thanks,
> > -andy
> >
> > On Dec 28, 9:41 pm, el moro <axel.sachm...@googlemail.com> wrote:
> >
> > > Nice =>https://twitter.com/oauth/authenticate?force_login=true?{signed
> > > args} this stuff is working very well for me;) Thank you for your
> > > hint.
> >
> > > Axel
> >
> > > On 29 Dez., 03:21, Andy Freeman <ana...@earthlink.net> wrote:
> >
> > > > > The difference (to my understanding) is that Authenticate does not
> > > > > authorize the app.
> >
> > > > Huh?
> >
> > > > Whether I use authorize or authenticate, my app can tweet etc on the
> > > > user's behalf.
> >
> > > > What, exactly, do you think that authenticate and authorize do?  I
> > > > think that both can give my application a token that I can use to
> take
> > > > actions on the user's behalf.  I think that both do some sort of
> login
> > > > or check before doing so.
> >
> > > > The difference that I see is in how twitter presents its questions
> > > > regarding the account that is allowing my application to do its
> thing.
> >
> > > > That, and the bit that authenticate leaves folks logged in to
> twitter.
> >
> > > > On Dec 28, 5:27 pm, Justyn <justyn.how...@gmail.com> wrote:
> >
> > > > > The difference (to my understanding) is that Authenticate does not
> > > > > authorize the app. We need to have the app authorized but want to
> give
> > > > > the user the chance to choose which account to login with (and
> > > > > Authorize).
> >
> > > > > Ideally, twitter state would not be effected, and user could
> authorize
> > > > > an app with desired account (regardless of session) without
> clicking
> > > > > "sign out".
> >
> > > > > Justyn
> >
> > > > > On Dec 28, 5:36 pm, Abraham Williams <4bra...@gmail.com> wrote:
> >
> > > > > > That is true. Authenticate currently leaves the user logged in.
> >
> > > > > > I would prefer that get fixed rather then adding force_login to
> authorize as
> > > > > > I view leaving users logged in as a security risk. Apparently
> Twitter does
> > > > > > not:
> >
> > > > > >http://code.google.com/p/twitter-api/issues/detail?id=1070
> >
> > > > > > On Mon, Dec 28, 2009 at 17:13, Andy Freeman <
> ana...@earthlink.net> wrote:
> > > > > > > > Then use authenticate. It accomplishes the same effect of
> authorize.
> >
> > > > > > > Does it?  My notes say that authenticate leaves the user logged
> into
> > > > > > > twitter if they weren't before and that authorize doesn't.
> >
> > > > > > > For my purposes, I'd like to force the user to specify their
> twitter
> > > > > > > account and password even if they're already logged in and not
> change
> > > > > > > their login state (as far as twitter is concerned) at all.
> >
> > > > > > > I can imagine folks who'd like to allow users to quickly
> authorize the
> > > > > > > use of the logged in account (if any)
> >
> > > > > > > I can't imagine anyone who'd want to change the user's logged
> in
> > > > > > > state.
> >
> > > > > > > On Dec 27, 6:08 pm, Abraham Williams <4bra...@gmail.com>
> wrote:
> > > > > > > > Then use authenticate. It accomplishes the same effect of
> authorize.
> >
> > > > > > > > On Sun, Dec 27, 2009 at 17:42, Justyn <
> justyn.how...@gmail.com> wrote:
> > > > > > > > > Thanks Abraham - I understand this is the current
> limitation, however
> > > > > > > > > I think there is a need for the foce_login to be available
> with the
> > > > > > > > > authorize function. The authorize landing page is confusing
> to users
> > > > > > > > > who want to sign-in with an account that is different from
> their
> > > > > > > > > latest session. The "sign-out" option is not obvious to
> users. This is
> > > > > > > > > based on user feedback, and I don't think we're the only
> ones having
> > > > > > > > > this issue.
> >
> > > > > > > > > On Dec 27, 3:39 pm, Abraham Williams <4bra...@gmail.com>
> wrote:
> > > > > > > > > > force_login=true only works onhttps://
> > > > > > > twitter.com/oauth/authenticatenot
> > > > > > > > > > onhttps://twitter.com/oauth/authorize.
> >
> > > > > > > > > > On Sat, Dec 26, 2009 at 23:23, el moro <
> axel.sachm...@googlemail.com
> >
> > > > > > > > > wrote:
> > > > > > > > > > > Hi, i'd like to use force_login too in my new Rails
> application.
> > > > > > > This
> > > > > > > > > > > parameter seems to be buggy. For me it' s not working
> too.
> >
> > > > > > > > > > > On 24 Dez., 05:18, Justyn <justyn.how...@gmail.com>
> wrote:
> > > > > > > > > > > > Hi guys - just wanted to make sure this stayed on the
> radar. I
> > > > > > > > > imagine
> > > > > > > > > > > > others would like to use force_login for the
> Authorize function?
> >
> > > > > > > > > > > > On Dec 22, 4:46 pm, Justyn <justyn.how...@gmail.com>
> wrote:
> >
> > > > > > > > > > > > > We've found it necessary to use the force_login
> method for
> > > > > > > > > Authorize
> > > > > > > > > > > > > because of the confusion many users have with the
> splash page
> > > > > > > shown
> > > > > > > > > on
> > > > > > > > > > > > > Authorize (many times they want to authorize a
> different
> > > > > > > account
> > > > > > > > > than
> > > > > > > > > > > > > their latest session), however Authorize does not
> support
> > > > > > > > > force_login.
> >
> > > > > > > > > > > > > Is there a way around this, or can we get a version
> of
> > > > > > > authorize
> > > > > > > > > that
> > > > > > > > > > > > > bypasses the "sign-out" link to get the full
> credential input
> > > > > > > for
> > > > > > > > > our
> > > > > > > > > > > > > users?
> >
> > > > > > > > > > > > > Many users have trouble with this.
> >
> > > > > > > > > > > > > Thanks in advance!
> >
> > > > > > > > > > > > > Justyn
> >
> > > > > > > > > > --
> > > > > > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > > > > > Project | Intersect |
> http://intersect.labs.poseurtech.com
> > > > > > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > > > > > Sent from Madison, WI, United States
> >
> > > > > > > > --
> > > > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > > > Sent from Madison, WI, United States- Hide quoted text -
> >
> > > > > > > > - Show quoted text -
> >
> > > > > > --
> > > > > > Abraham Williams | Awesome Lists |http://awesomeli.st
> > > > > > Project | Intersect |http://intersect.labs.poseurtech.com
> > > > > > Hacker |http://abrah.am|http://twitter.com/abraham
> > > > > > This email is: [ ] shareable [x] ask first [ ] private.
> > > > > > Sent from Madison, WI, United States- Hide quoted text -
> >
> > > > > - Show quoted text -- Hide quoted text -
> >
> > > - Show quoted text -
>



-- 
Abraham Williams | Awesome Lists | http://awesomeli.st
Project | Intersect | http://intersect.labs.poseurtech.com
Hacker | http://abrah.am | http://twitter.com/abraham
This email is: [ ] shareable [x] ask first [ ] private.
Sent from Madison, WI, United States

Reply via email to