I created an app on one twitter account. I would like to authorise that same app on a different account.
FAQ on how to authorise apps says On the website of the application you want to connect, find the button/link asking you to connect your Twitter account. But I haven't built said site/page.
How can I auth this app on the second account?
You have to use the OAuth Authentication Flow process.
To do so, you first need to request an authentication link from your Consumer Key and Consumer Secret using https://api.twitter.com/oauth/request_token (doc : https://dev.twitter.com/oauth/reference/post/oauth/request_token).
When you receive a callback or a code, you can use them to execute a second query that is https://api.twitter.com/oauth/access_token as described at https://dev.twitter.com/oauth/reference/post/oauth/access_token. You will want to use the oauth_verifier parameter.
Remember that authentication in Twitter is not an easy process and you should read more about it on Twitter (https://dev.twitter.com/oauth/3-legged) or use a library that will do that for you.
Related
I am about to embark on adding a 'post to Twitter' feature on a web application.
It appears 3-legged OAuth is the only option for this. The developer documentation states however that "The user will always be prompted to authorize access to your application, even if access was previously granted."
https://dev.twitter.com/oauth/3-legged
This doesn't seem like a very good experience for the user and confusingly this is not what happens on services like Hootsuite. Have they organised an agreement with Twitter so users don't have to keep authorising the app?
Use the Sign-in With Twitter flow, and store the access token that the user receives when they grant access to your app. Then there's no need to go down the oauth/authorize route every time.
For my current work project we're trying to use OAuth to secure a mobile API, but the app doesn't have user accounts, so authentication would take place invisibly from the user, where the app will send up some secrets to the server and receive the token to be used for subsequent web service calls. The problem is, all the libraries and tutorials I can find implementing OAuth follow this pattern:
Present a web view allowing a user to login
Receive a callback to a custom URL scheme, and parse the necessary information to authenticate future web service calls
How do I achieve this without the webview step? I should be able to make an HTTP request directly with the correct credentials which will return the necessary authentication details.
The app will use OAuth 2.0
It is not clear what do you mean by
the app doesn't have user accounts
If you want to call some API on behalf of user you should ask him for a password. Doing it in webview or not depends on provider implementation. For example, twitter doesn't force you to do that.
In other case, if you want to call service on behalf of client, take a look at this answer: https://stackoverflow.com/a/7477112/2283405
If the app doesn't require "personalised" or "user-specific" data to be manipulated, then you can probably try using "client-credentials" grant type to obtain access tokens using the application credentials granted upon the application registration process by the Authorisation Server (for e.g.: OAuth server) that's there in your environment. The idea is that, your app is what basically authenticates with the Authentication Server for you using the aforesaid credentials (i.e. Client Consumer Key and Client Secret Key).
NO, you have to do login compalsary. if you try without. it won't be possible.
Just need a very basic detail clearified.
If I'm trying to implement au OAuth authentification system for my website, it mean my website is REQUIRED to have a facebook, google and twitter account ?
For example: I have no intention for my website to have a twitter presence, but I want twitter users to be able to use OAuth to login on my website without registering manually.
I really need to open a twitter account to get my clientID and secret key code ?
Yes, it looks like you need a Twitter account in order to create a Twitter application, but it doesn't have to be an account for your website. For instance, if I want to create a "Sign in with Twitter" button on my, page, I can just log into the dev site using my personal account and create an application. Follow the steps here. In particular following the "application settings" link will prompt you to login, and then you can create an application.
Facebook likewise requires you to have an account and create an application. They then provide API keys that can be used in the OAuth login flow. They have two ways to get a token: a server side flow that provides a longer lived token, and a client side that gives a shorter one. For more details see this page.
With Google, if you use their OAuth 1.0 flow, you can do a login without creating an application (https://developers.google.com/accounts/docs/OAuth). However, it looks like their preferred way is their OAuth 2.0 flow through Google+. See this page.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.
I've read through documentation where possible but unable to figure out this basic question. When using Oauth with Twitter in my web application, does it require the user to be logged into Twitter everytime?
For example, if a user authorises their account with my website, in future sessions, if they complete an action that posts to their twitter stream, will this occur without any problems, or would they need to re-sign in via Twitter?
Thanks guys!
The OAuth authorization actually allows your application to access their account whenever it wants. So the users do not even need to be there doing something with your web application to allow it to tweet something or such.
Your application is then able to use the key and token which it received in the authorization process to tell Twitter any time "hey, I am authorized to use this account" and basically works as the application's personal login credentials for that account.
No, they only need to be logged into Twitter when they go through the initial OAuth authorization. After that, your site talks directly to the Twitter API using tokens that it saved from earlier.
Ok I've setup a test-case and it looks like I was a bit wrong:
oauth_token, oauth_token_secret are unique for each user and they never change, so if you store them in your database you can reuse them. No matter if the user is logged in to twitter or not.
No, they will normally not need to re-authorize. If the token is revoked, however, they will, and your application needs to be able to handle this (by allowing them to do so). In general, this is true for any SSO system.
A twitter user can explicitly revoke an application's token at the provided page.