Destroy session is what people are asking for.

There's no way to handle this from our side at the moment. When a user
leaves our site, they generally logout out first, but we can't log
them out from Twitter if they logged in that way. (After initially
creating an account with us through Twitter Oauth, they have the
option of logging in directly to our site without logging in to
Twitter.)

Per Twitter app guidelines, we never perform any API action that is
not directly, immediately requested by a user, so that's not the
problem.

The problems I see are:

1.) It's weird that we can log them in but we can't log them out. OK,
we get them to log themselves in, but they can't be expected to
understand that, and
2.) If we don't make sure they know they are still logged in - to
Twitter, not us - then something bad might happen to them. And whose
fault would that be?

On Aug 19, 6:33 pm, Dave Ingram <d...@dmi.me.uk> wrote:
>  On 08/19/10 17:16, Ken wrote:> Taylor, I don't need this as much as some 
> other developers but I think
> > I understand why they keep asking for this.
>
> > Sure, our app is not "logged in". But many apps make the user log in
> > to Twitter in order to use the app. Then, when the user is done with
> > the app, they can't just logout and leave, we have to tell them to go
> > to Twitter.com and logout. This is embarrassing (unprofessional) and
> > potentially risky. If they don't understand that they are still logged
> > in with Twitter, they may make some mistake, such as tweeting from the
> > wrong account, and there could be privacy/security concerns about
> > subsequent actions a user may perform while unknowingly logged in to
> > Twitter.
>
> So one way to handle this from your side would be to just forget the
> user's OAuth tokens. Your app will still appear "authorized" to the user
> in the connections screen, which would be confusing, but your
> application wouldn't be able to perform any operations on their behalf.
> It might be useful to have a "destroy credentials" endpoint though, to
> remove your app from the connections screen.
>
> D
>
> > On Aug 19, 4:20 pm, Taylor Singletary <taylorsinglet...@twitter.com>
> > wrote:
> >> The REST API is (mostly) stateless. There is no "logged in" to "log out."
>
> >> Are you wanting to ensure that the user has to enter their credentials in
> >> again when presented with the OAuth flow? If not, what would you be
> >> interested in doing this for?
>
> >> Taylor
>
> >> On Thu, Aug 19, 2010 at 6:50 AM, JTOne <jthot...@gmail.com> wrote:
> >>> How i can logout using oauth or rest api of twitter?
>
>

Reply via email to