Are oauth_token and oauth_verifier sufficient parameters for persistent isLoggedIn? - oauth

I'm learning to use the twitter API for the first time. I want to build a website that allows users to post messages to their twitter, facebook and linkedin account. They will need to sign up first via the website's registration/authentication system, which is in not related to twitter, facebook and linkedin. Once logged in, they should be able to synchronize their twitter, facebook and linked in account with my website.
I'm starting development with twitter first. I followed this tutorial here:
http://www.1stwebdesigner.com/tutorials/twitter-app-oauth-php/
After authenticating, twitter sends me to this url.
http://mywebsite.com/?oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4
The first time this page loads, it properly retrieves all the authenticated user info. But when I refresh the page, the all the user info disappears.
My question is:
Are the query string parameters oauth_token=o7gIh4x8xAs1mcms6OKthLoLecL99WVbky2Gu6o4no&oauth_verifier=83Ip3jrMVDvnbIY3RXS5DH1FUZrWAHddwApnOBfm4 all that's needed to gain write access to a user's twitter account? Can I store these tokens in my database so that the user never has to be prompted to sign into twitter again?

You had better keep oauth_token (and oauth_token_secret too) in your database since you will use them for all the authenticated requests you will do for the authenticated user. As for oauth_verifier, it is a parameter only used during the OAuth Authentication flow. So you can get rid of it once you have got the final tokens.
For further details (and to ensure what you are doing is right), see the corresponding "Sign in with Twitter" page on Twitter Developers website : https://dev.twitter.com/docs/auth/implementing-sign-twitter.

Related

Automatic (new) sign in with Google / stay signed in - web app

TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself

Proper way to manage user session for OAuth2

We are using google oauth2 permitting users to use their existing google accounts to log in to our system.
After being authenticated what is the proper way to manage active user session in our app for ex.
Let's suppose the user has logged in to our system with google account A. Then user logs out/changes google account to account B but not within our app but rather from its gmail. Should we also log him out him from our app???
(which seems to me bizarre and impossible as soon as there should be google API to check that the given user at the given time is logged in to google services).
The only way which seems to me reasonable is to invalidate user session after given timeout and only then we could make user re-pass oauth2 authorization flow.
Thanks in advance for your help.
The access_token or id_token your acquire from the Google OAuth2 Login flow is not coupled with the login sessions in the various Google apps (gmail, plus, ....).
There's no way for your app to know that the the user logged out of his gmail. Your app shouldn't care.
If your web app makes it clear to the user what account has been used to login initially (by displaying a username/picture or other info retrieved from the Google User Info call you should be ok.
Most users will not try to link your web application session with a gmail session for example.

Twitter API, finding logged-in user

I log into my Twitter account. Then I visit this twitter app website. I click sign-in with Twitter link, I am redirected to Twitter authorization page, I give auth. Then I see member page of app website. Then I check authed Applications from my Twitter account: https://twitter.com/settings/applications
I see that I authed that application. Then I remove all cookies of app website. But I don't logout from Twitter website. I revisit app website and click Sign-in with twitter.
Without Auth confirmation I am redirected to members page. How can it be?
I understand that they save my auth tokens inside their database and use to verify credentials. But without cookie etc. how can they know that I'm that Twitter user?
Is it possible to know that user logged in to Twitter?
This problem can be solved when "authenticating" is used rather then "authorization".
Authorization needs permission everytime user sign-ins, authentication needs permisson if user didn't give permission previously or he/she revoked the permission.
That is called as transparent login.
Note: Authentication doesn't include DM access.
https://dev.twitter.com/docs/auth/implementing-sign-twitter

Request Facebook access token without being logged in?

I want to download event information from a company's Facebook page using FacebookSDK 3.1.1 to present in a UITableView. This works fine as long as the user is logged in to his/her Facebook account.
It also works fine if I manually request an access token from developer Facebook and send it along with the Facebook URL request.
Can I request an access token from within the iPhone without being logged in?
I find the facebook developers page a bit difficult to navigate.. Anyway, here is the answer: http://developers.facebook.com/docs/concepts/login/access-tokens-and-types/

How to authenticate that user owns twitter account?

I'm developing a social network. Users may register and share their twitter username (if they want). Wherever the user posts a comment or other content, his username is displayed. I would like to display the follow #userTwitter button, if the user has set the twitter account.
Now, everything works, the problem is to validate that the user is the owner of that twitter account. Right now the user could be entering any valid twitter account! Maybe using the Twitter api?
You can set your app up as a Twitter client, this way your user has to log into twitter to authorize your app, thereby verifying their twitter identity.
This is a couple years old but might be enough to get you started:
http://www.1stwebdesigner.com/tutorials/twitter-app-oauth-php/

Resources