Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

With Twitter oAuth authorization, how do you specify what twitter username?

Tags:

oauth

twitter

Developing a web application that I've registered with Twitter. In this app, I might have 10 different Twitter Identities that I want to either Allow or Deny access for the application to.

For example:

https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/

It always just defaults to whatever my twitter account is logged in as and I have to specify Logout, then sign-in with new account. Its almost like I need an extra querystring parameter such as

https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/&ForUsername=billgates

like image 444
Shane Avatar asked Oct 14 '22 00:10

Shane

2 Answers

Actually, you can pass in an extra parameter with the callback url, like so:

https://api.twitter.com/oauth/authorize?oauth_token=XXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback?ForUsername=billgates

and the parameter will be sent back to you when Twitter calls the return url, like this:

http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback?ForUsername=billgates&oauth_token=XXX&access_token=YYY

You can read more about this in the documentation - http://dev.twitter.com/pages/auth:

Always use an explicit oauth_callback - It is recommended that you specify a default OAuth callback in your client record, but explicitly declare your oauth_callback on each request token fetch request your application makes. By dynamically setting your oauth_callback, you can pass additional state information back to your application and control the experience best.

like image 70
draconis Avatar answered Oct 20 '22 17:10

draconis

Note that in the general scope of authorization, the authorized agent does not necessarily know the identity of the user on whose behalf it acts. In other words, there could be an implementation where your app can be authorized to read the Twitter stream of updates, while still not knowing which identity that stream belongs to. Adding the parameter you ask for would be information disclosure in this case, as your app will need a piece of information that the system is designed not to provide.

Or to put it in a real life example - imagine a valet parking, where instead of giving you a parking ticket and taking the keys to the car, the valet would ask you for your SSN just to park the car, just because the valet parks cars for other people too.

like image 43
Franci Penov Avatar answered Oct 20 '22 17:10

Franci Penov
Sign in to Comment

Related questions

Devise/Google OAuth 2: Not found. Authentication passthru
Google Oauth removing scopes from access
Discord API 401 Unauthorized with OAuth
How do I dynamically specify OAuth2 resource details in Spring Security?
Return JWT token to javascript SPA from oauth login
When using OAuth, how do you get a user to accept your Terms and Conditions?
Add dynamic/wildcard FACEBOOK Valid OAuth redirect URIs [duplicate]
Google SignIn - "access_token" vs "id_token" vs "code"
DocuSign JWT Authentication: Unexpected PEM type
Google Sign-in in Android with django-rest-auth
OAuth flow for third party API access
Github OAuth2 does not support Client Authentication?
How to get an auth code using ASWebAuthenticationSession?
Google's Oauth for Installed apps vs. Oauth for Web Apps
Oauth + Aeoid +Python + Google App Engine + Google documents
Difference between Client and User-Agent

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!