I am writing the backend of my app, and use OAuth 2.0 for authentication.
I use Resource Owner Password Credentials to let my users log in. My question is, how to log out?
My guess is, just simply delete access_token and refresh_token in frontend(client), but not sure.
Could anyone help?
I meet the same problem .
If your app is a web app.
You should know that:
Let a user log out ,the action is control by your system, I think is nothing to do with OAuth.
maybe you should clear the session in your application.
Related
I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.
I've been using Twitter Basic Authentication where you simply need to enter login/password and that's enough to post tweets. But now since twitter has turned it off, I have to look into oauth. I do have experience with oauth but I always used the common way to do this - get request token, ask user to "approve app", exchanged request token to access token, then use access token. Unfortunately that's too complicated for my particular task and I really would love to keep oauth as simple as Basic Authentication was.
The reason for this is that I need to have oauth_token for one user only - admin. So I am looking for something like this: admin goes to twitter and registers app (I guess that can't be avoided), then accesses some twitter page and obtains access_token for this app, then takes key, secret and token and enters them as configs in the admin area. After this the site has the ability to post tweets to admin's profile.
I've been trying to find how to do this with no luck so far so before giving up I decided to confirm that this is not possible (or hopefully possible and I just missed something).
You have 2 options to simplify using a single user application:
If the user that you are going to be logged in as owns the OAuth application, you can login to dev.twitter.com as that user, drill down to the application, then click the 'My Access Token" button on the right. You can then just copy and paste the access token values into your application
Similar to #1, but slightly more laborious: develop a simple application whose sole purpose is to give you the access token for the user you wish to login as (or use a sample application somebody else has made). Then, again, copy and paste the values into your application.
Is it possible to authorize twitter console application without visiting authentication web page?
I need it because I'm developing app that grab direct messages from our corporate twitter. This console application is scheduled on web server and is not driven by human.
Regards,
Alexey Zakharov
You can ask Twitter for an access token by supplying a username and password using XAuth. This circumvents the need to redirect to OAuth webpages to get valid access without asking the user for username and password. Applications do need to ask permission from Twitter by email to be able to use this web service method. You should only use it to get a valid access token and then save that, and not persist the username/password in any way. It might be a suitable scenario for your console application?
Check out TWURL. It's command-line CURL with Twitter OAuth built in: http://github.com/marcel/twurl
Its possible to authorize any oAuth based API via Console.
if you have some sample code that your working with please share.
Also: http://p2p.wrox.com/content/articles/twitter-development-using-oauth-authenticate-against-twitter-api-walkthroughs
I'm currently having massive trouble with Vimeo's Oauth implementation and my desktop app. My program does the following correctly.
1- Requests a Unauthorized Request Token with my key and secret and returns - a Token and a Token secret.
2- Generates a URL for the user to go to using the token which then shows our application's name and allows the user to Authorize us to use his/her account. It then shows a verifier which the user returns and puts into our app.
The problem is the third step and actually exchanging the tokens for the access tokens. Basically every time we try and get them we get a "Invalid / expired token - The oauth_token passed was either not valid or has expired"
I looked at the documentation and there's supposed to be a callback to a server when deployed like that which gives the user an "authorized token" but as im developing a desktop app we can't do this. So I assume the token retrieved in 1 is valid for this step. (actually it seems it is: http://vimeo.com/forums/topic:22605)
So I'm wondering now am I missing something here on my actual vimeo application account now? is it treating it as a web hosted app with callbacks? all the elements are there for this to work and I've used this same component to create a twitter Oauth login in exactly the same way and it was fine.
Thanks in advance,
Barry
Fixed. It was a problem on Vimeo's end.
I've read through documentation where possible but unable to figure out this basic question. When using Oauth with Twitter in my web application, does it require the user to be logged into Twitter everytime?
For example, if a user authorises their account with my website, in future sessions, if they complete an action that posts to their twitter stream, will this occur without any problems, or would they need to re-sign in via Twitter?
Thanks guys!
The OAuth authorization actually allows your application to access their account whenever it wants. So the users do not even need to be there doing something with your web application to allow it to tweet something or such.
Your application is then able to use the key and token which it received in the authorization process to tell Twitter any time "hey, I am authorized to use this account" and basically works as the application's personal login credentials for that account.
No, they only need to be logged into Twitter when they go through the initial OAuth authorization. After that, your site talks directly to the Twitter API using tokens that it saved from earlier.
Ok I've setup a test-case and it looks like I was a bit wrong:
oauth_token, oauth_token_secret are unique for each user and they never change, so if you store them in your database you can reuse them. No matter if the user is logged in to twitter or not.
No, they will normally not need to re-authorize. If the token is revoked, however, they will, and your application needs to be able to handle this (by allowing them to do so). In general, this is true for any SSO system.
A twitter user can explicitly revoke an application's token at the provided page.