This project has moved and is read-only. For the latest updates, please go here.

No oauth/authenticate implementation?

Jan 5, 2010 at 3:49 AM

Just curious, am I missing something?  There is an oauth/authorize implementation which works great to initially retrieve the access token/secret for user, but no oauth/authenicate implementation. This would allow "Sign-In With Twitter" without being asked repeatedly to Allow or Deny the application. 

Currently in my web app, once a user initially authorizes my application using Twitter, I securely store the user's access token/secret in the DB, then set a cookie in the user's browser to id the user. On subsequent return visits I match them to their access token. This works great, but because my web app doesn't implement any type of login scheme itself and only uses Twitter, this is essentially like keeping them constantly logged in until their cookie expires or is deleted.  I'm not sure how comfortable I am with that for various reasons.  If I use the WebOAuthAuthorization.BeginAuthorize() method on each visit then the user keeps getting the Allow/Deny Twitter page.

Is there a way to implement the authenicate (sign-in with Twitter) without forcing constant, repeated authorization with the Allow/Deny page?

Jan 5, 2010 at 8:57 PM

So just to be clear, it sounds like you've already implemented IConsumerTokenManager in your app and pass that in to provide the persistence of OAuth tokens.  Is that correct?  We often hear this "every time my user visits they have to re-authorize Twitter" but it's usually because they've missed this step.  

In your case, it sounds like you have a database to store the tokens, but you would prefer to not also have to authenticate your own users which would require your users to have another password to memorize.  Am I right?  OpenID usually fits the bill here quite nicely -- too bad Twitter isn't an OpenID Provider.  But if your app is exclusively a Twitter front-end, allowing your users to log in with Twitter makes more sense than having them log in with a separate OpenID.  

Do I understand you correctly?  If so, please open a work item requesting "Log in with Twitter" functionality.  It's not there yet.  No one has asked AFAIK.  You're the first.

Jan 5, 2010 at 10:50 PM

Yes you have summarized the scenario exactly!  Thank you.  Will post a related work item.