Why passport-twitter requires session support

Question

I'm working on facebook, google, github, twitter authentication with passport. Authentication with facebook, google, github are executing how in tutorial was written. Only twitter back me message:

500 Internal Server Error: OAuth authentication requires session support. Did you forget to use express-session middleware?

Then I added express-session middleware (look below) and my problem has gone.

import * as expressSession from "express-session";

app.use(expressSession({
    secret: strategyOptions.session.secret,
    resave: false,
    saveUninitialized: true
}));

So I have 3 questions:

1. Why twitter authentication requires session support ?
2. I had guess only my backend and frontend know about session. How Twitter knows about my session?
3. Why Google, Facebook, Github don't need session support ?

Answer 1

1) Why twitter authentication requires session support ?

• twitter authentication needs a requestTokenStore to store the token before the exchanging. And by default it is SessionRequestTokenStore from passport-oauth1.

2) I had guess only my backend and frontend know about session. How Twitter knows about my session?

• twitter authentication is a middleware that runs in your backend, so it knows about your session.

3) Why Google, Facebook, Github don't need session support ?

• Google, Facebook, Github uses passport-oauth2, wich doesn't need a requestTokenStore (session).

Answer 2

1. Why twitter authentication requires session support ?

Authenticating with Twitter using OAuth 1.0a works like this:

(From https://medium.com/@robince885/how-to-do-twitter-authentication-with-react-and-restful-api-e525f30c62bb)

You'll notice there's a step where the server gets a request token from Twitter, and then sends the user to Twitter to authorize. When the user is redirected back to the site, the server will exchange the request token and a verification token for an access token. But the request token is not provided by Twitter when it redirects the user back to the site. So the server needs a way to save the request token when it first gets it, so that it can be retrieved when the user is redirected back. Sessions are used to save the request token.

2. I had guess only my backend and frontend know about session. How Twitter knows about my session?

You're right, Twitter doesn't know anything about your session. A session is basically an ID stored in a cookie in the user's browser and also a set of data associated with that ID on the server. So the user sends the sessions ID when she makes a request (cookies are sent with all requests), and the ID is used to look up the data on the server.

Building on the answer from (1), the session ID is used to retrieve the request token when the user is redirected back to the site from Twitter. Twitter doesn't know (or care) how that request token is stored. You could potentially store it another way and Twitter wouldn't know the difference.

3. Why Google, Facebook, Github don't need session support ?

Google, Facebook, and Github are likely using OAuth 2 instead of OAuth 1.0a. OAuth 2 doesn't work the same way, and so doesn't require a request token to be stored. Twitter actually supports OAuth 2. However, it's used for application-only authentication and not application-user authentication. So you could use OAuth 2 to authenticate your application, and use the API as your application. But you can't use OAuth 2 to query the API on behalf of users. In other words, Twitter doesn't allow you to use OAuth 2 to authenticate your application to be used on behalf of users.