I'm using V2 of the Twitter API using OAuth 2.0 Authorization Code Flow with PKCE and I can't seem to find an endpoint for determining if a user has revoked access to our app or not (i.e. if they revoked access from their Twitter account by going to Settings --> Security and account access --> Apps and sessions --> Connected Apps --> App --> "Revoke app permissions")
I did a test with a dummy account and signed into our app, recorded the user access token, revoked access to our app from inside the dummy account and then sent a request to the https://api.twitter.com/2/users/me endpoint with the invalidated user access token and received this response:
{'title': 'Unauthorized',
'type': 'about:blank',
'status': 401,
'detail': 'Unauthorized'}
Is this response sufficient to show that the user has logged out of our app? Is there a V2 endpoint that shows the status of users logged into our app?
Related
I am trying to fetch client account info using MCC ad account. I prompted user for authentication to my app. After successful authentication, I used the client id and token to fetch the detail.
My application needs to log in to each user and generate the bearer token for each of them. By using the bearer token I can fetch the result using Twitter API v2. Anyone, please help me how can I do that.
The bearer token is specific to your application, NOT to the user. Bearer token / app only authentication is JUST for the app, not for the user. The first time you create the app on the Twitter developer portal, you get the bearer token which you should save in your password manager.
The account token - when a user is logged in to your app - is different. If you need this, you can also generate it on the developer portal FOR YOUR ACCOUNT ONLY, or you can make your app implement sign-in with Twitter via OAuth 1.0A. These tokens will enable your app to operate for a user and port new Tweets, like Tweets, create lists, etc.
I am building an application that will let users log using Twitter App. The twitter app got approved and I managed to generate The KEY / SECRET pair details, as shown in the following screenshot:
When I try to open the link set in my application to access that twitter app, I get to twitter and fill my creadentials. And I am redirected back as expected with a valid token.
The only problem is that, the token is expired with an expiration time set to "Mon Jan 1 0001".
NOTE:
The app is a backend app using GoLang, with "github.com/markbates/goth" for authentication (I only use API Key and API Key Secret and no Access token and Access Secret)
I am using "http://localhost:8000/v1/auth/twitter/callback" as the callback URL in Twitter app settings
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The offline_access scope gives your app access to resources on behalf
of the user for an extended time. On the work account consent page,
this scope appears as the "Access your data anytime" permission. On
the personal Microsoft account consent page, it appears as the "Access
your info anytime" permission. When a user approves the offline_access
scope, your app can receive refresh tokens from the v2.0 token
endpoint. Refresh tokens are long-lived. Your app can get new access
tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
I've implemented sign in with Twitter such that users can log in and I store user's credentials. However, on their tutorial page it says:
Signed in and approved: If the user is signed in on twitter.com and has already approved the calling application, they will be immediately authenticated and returned to the callback URL with a valid OAuth request token. The redirect to twitter.com is not obvious to the user.
In the diagram, my app never redirects transparently, it always asks users to grant access:
Is there something I have to do to make my app redirect transparently? My website is over https if that has anything to do with it.
Change the endpoint to http://twitter.com/oauth/authenticate instead of http://twitter.com/oauth/authorize