What is the best way to handle connection to many Twitter accounts?

Question

My application need a twitter account to create an account and authentify. Then, the user can link any other Twitter accounts as he like. So, a user has ONE main twitter account which allow him to connect to my app, then, he can browser all the accounts he has previously linked in the app. My question is about the login process on Twitter side.

First, I've thinked about setting force_login only when linking new account. This way, the user does not have to reconnect on Twitter each time he want to connect to my app. And, when he want to link another account, force_login force him to chose the right account. The problem is that Twitter stay connected to the last authentified account. So, if the user logout from my app just after linking another account, then login with twitter, he login with the second account, and create a new user on my app. Exemple:

User has two twitter accounts : @a and @b. He's authentified to Twitter with @a. He signup to my app, Twitter shows him the permissions asked by my app, user accept, he's redirected to my app, a new User which can auth with @a is created. Then, he link @b account. Thanks to force_login, Twitter asks him for credentials. User login to @b, Twitter asks permissions, then, the account is linked to the user on my app. We now have a user who can auth with @a and who is linked to @b. Then, session on my app is over, user needs to reconnect. Because there is no force_login, Twitter sees he's already connected with an account which authtorised my app, so connection is accepted without any action from the user. But, what nobody sees is that user was connected with the last account : @b. So, I get a signin action with @b, which means to a new user creation. I now have two users : User1 which can auth with @a and is linked to @b, and User2 which can auth with @b. And my user doesn't understand where is its @a account.

So my question is : do I have to set force_login anywhere ? Or is there another way to tell Twitter to not authentify when linking an account?

EDIT for more details :

It's not so easy. Keep in mind that many user should manage the same account. A simple example : @Maurice and @Roy are members of @ReynholmIndustries corporation. They will create their own account on my service with their own account on twitter. So on my service, I will have User1 which can connect with @Maurice and User2 which can connect with @Roy. Then, @Maurice will add @ReynholmIndustries account to my service. So, after login in with @Maurice, he can manage @Maurice and @ReynholmIndustries. Then, @Roy will add @ReynholmIndustries too. Nobody can login with @ReynholmIndustries but @Maurice and @Roy, with their own account can manage it. And then, it's obviously possible that someone create a new user by signing up with @ReynholmIndustries.

The difficulty is when adding a new account : UserA signin to my service by signin in on Twitter. He's now authentified as @Maurice and on my service as UserA and can manage @Maurice. Then, he adds @ReynholmIndustries by signin in Twitter as @ReynholmIndustries. He's now authentified on my service as @Maurice, can manage @Maurice and @ReynholmIndustries but, on Twitter, he's now authentified as @ReynholmIndustries. Later, he lose auth on my service and he click on signin button. He's redirected on twitter oauth form and we have now two options :

1. without force_login : he is authentified as @ReynholmIndustries because it is the last account he signin with. So, Twitter don't ask him to auth and he's automatically redirected to my service, but not as UserA who auth with @Maurice, but as a new user : UserC which will auth with @ReynholmIndustries. UserC can manage only @ReynholmIndustries because he's a new user.
2. with force_login : even if he is auth with @ReynholmIndustries on Twitter side, he will need to give login/pass and he will be sure to chose the correct account : @Maurice, to access UserA and manage the two accounts. But, he will always have to give login/pass everytime he'll have to auth to my service.

By writing this, I realise it is not a problem : if my service had a local auth, user should have too to type login/pass everytime he lose auth… maybe force_login is really the correct option. What do you think about all of this?

Answer 1

For me it looks like your problem is not related to twitter at all. You just need to handle the login / sign up process properly in your application.

Here is what happens, according to your description:

• User signs up with @a account
• Internally you create the user profile in your database (I assume that you have the database, doesn't really matter what kind of database), like this:
  • User A
  • id = 1 (your internal id)
  • name = UserA
  • accounts (related table)
    • twitter @a
• User adds one more (@b) account
• You update the user profile like this:
  • User A
  • id = 1
  • name = UserA
  • accounts
    • twitter @a
    • twitter @b
• The user signs out
• The user logs in back with @b account
• Twitter approves it and redirects back to your app

Now you say "So, I get a signin action with @b, which means to a new user creation.". Why so? Twitter knows nothing about your application, but you do know it.

What you want to do here is just search through your database, find that you already have the "twitter @b" account and it is linked to "UserA". Then you just login the "UserA" into your application instead of creating the new user (you anyway don't want to have different users with the same twitter account, so twitter account id should be unique in your database).