Re: [twitter-dev] How to end user session?
2,212 views
Skip to first unread message
Taylor Singletary
Apr 20, 2010, 3:55:01 PM4/20/10
to twitter-deve...@googlegroups.com
Hi Jonathon,
You'd handle this on your own back end. Using OAuth a user is never "logged in" -- there is no concept of a session or persistence -- it's all stateless. The association between your user and an access token is your own. If you want a user to be able to use multiple twitter accounts on your site, you would design a model relationship between access tokens and users such that a user can have many access tokens -- you'd then use context shifting of some kind in your application that establishes one of the access tokens belonging to the user is the "current access token." This will let your users context shift seamlessly. You'd obviously also have to ensure that the security of your application is such that a user never has access to access tokens that don't belong to them.
Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod
Developer Advocate, Twitter
http://twitter.com/episod
On Tue, Apr 20, 2010 at 12:48 PM, Jonathon Hill <jhil...@gmail.com> wrote:
Hello,
I'm building an app that uses OAuth for registration and
authentication. Is there any way to log an authenticated user out of
twitter, so that he/she can log in with a different twitter account?
Calling the REST endpoint /account/end_session.json doesn't work.
Thanks,
Jonathon Hill
Company52
http://company52.com
@compwright
--
Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
Jonathon Hill
Apr 20, 2010, 3:48:37 PM4/20/10
to Twitter Development Talk
Abraham Williams
Apr 20, 2010, 8:55:51 PM4/20/10
to twitter-deve...@googlegroups.com
You can add send users to https://twitter.com/oauth/authenticate?oauth_token=xyz&force_login=true (notice the &force_login=true) to have users always prompted for username and password on twitter.com.
--
Abraham Williams | Developer for hire | http://abrah.am
PoseurTech Labs | Projects | http://labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Abraham Williams | Developer for hire | http://abrah.am
PoseurTech Labs | Projects | http://labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Andy Freeman
Apr 21, 2010, 2:07:35 AM4/21/10
to Twitter Development Talk
While oauth/authenticate with force_login=true does force users to
provide credentials, oauth/authenticate leaves them logged into
twitter, which is somewhat dangerous from a shared or public computer.
oauth/authorize used to behave differently - it didn't leave users
logged in. However, that
changed - see http://code.google.com/p/twitter-api/issues/detail?id=1453
.
On Apr 20, 5:55 pm, Abraham Williams <4bra...@gmail.com> wrote:
> You can add send users tohttps://twitter.com/oauth/authenticate?oauth_token=xyz&force_login=tr...
>
> - Show quoted text -
provide credentials, oauth/authenticate leaves them logged into
twitter, which is somewhat dangerous from a shared or public computer.
oauth/authorize used to behave differently - it didn't leave users
logged in. However, that
changed - see http://code.google.com/p/twitter-api/issues/detail?id=1453
.
On Apr 20, 5:55 pm, Abraham Williams <4bra...@gmail.com> wrote:
> You can add send users tohttps://twitter.com/oauth/authenticate?oauth_token=xyz&force_login=tr...
> the &force_login=true) to have users always prompted for username
> and password on twitter.com.
>
> http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate
>
> <http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate>
> Abraham
>
>
>
>
>
> On Tue, Apr 20, 2010 at 12:48, Jonathon Hill <jhill9...@gmail.com> wrote:
> > Hello,
>
> > I'm building an app that uses OAuth for registration and
> > authentication. Is there any way to log an authenticated user out of
> > twitter, so that he/she can log in with a different twitter account?
>
> > Calling the REST endpoint /account/end_session.json doesn't work.
>
> > Thanks,
>
> > Jonathon Hill
>
> > Company52
> >http://company52.com
> > @compwright
>
> > --
> > Subscription settings:
> >http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
>
> --
> Abraham Williams | Developer for hire |http://abrah.am
> PoseurTech Labs | Projects |http://labs.poseurtech.com
> This email is: [ ] shareable [x] ask first [ ] private.- Hide quoted text -
> and password on twitter.com.
>
> http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate
>
> <http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate>
> Abraham
>
>
>
>
>
> On Tue, Apr 20, 2010 at 12:48, Jonathon Hill <jhill9...@gmail.com> wrote:
> > Hello,
>
> > I'm building an app that uses OAuth for registration and
> > authentication. Is there any way to log an authenticated user out of
> > twitter, so that he/she can log in with a different twitter account?
>
> > Calling the REST endpoint /account/end_session.json doesn't work.
>
> > Thanks,
>
> > Jonathon Hill
>
> > Company52
> >http://company52.com
> > @compwright
>
> > --
> > Subscription settings:
> >http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
>
> --
> Abraham Williams | Developer for hire |http://abrah.am
> PoseurTech Labs | Projects |http://labs.poseurtech.com
>
> - Show quoted text -
Jonathon Hill
Apr 20, 2010, 10:56:18 PM4/20/10
to Twitter Development Talk
Taylor,
The problem with that is when I get my request token and redir to the
authorization page, if I'm logged in to Twitter.com it skips right on
by and redirects back to my app, so there's no opportunity to register
on my site as a *different* Twitter user, except for deliberately
going to twitter.com and logging out. Abraham's suggestion of forcing
login helps, but a more elegant solution would be to provide a way to
kill the authorization in the browser somehow at will, instead of
forcing it each time.
I'm really dealing with an edge case here, as most users won't have
more than one account, but attention to edge cases is what separates
average apps to excellent apps, as I'm sure you well know.
Thanks,
Jonathon
On Apr 20, 3:55 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
The problem with that is when I get my request token and redir to the
authorization page, if I'm logged in to Twitter.com it skips right on
by and redirects back to my app, so there's no opportunity to register
on my site as a *different* Twitter user, except for deliberately
going to twitter.com and logging out. Abraham's suggestion of forcing
login helps, but a more elegant solution would be to provide a way to
kill the authorization in the browser somehow at will, instead of
forcing it each time.
I'm really dealing with an edge case here, as most users won't have
more than one account, but attention to edge cases is what separates
average apps to excellent apps, as I'm sure you well know.
Thanks,
Jonathon
On Apr 20, 3:55 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> Hi Jonathon,
>
> You'd handle this on your own back end. Using OAuth a user is never "logged
> in" -- there is no concept of a session or persistence -- it's all
> stateless. The association between your user and an access token is your
> own. If you want a user to be able to use multiple twitter accounts on your
> site, you would design a model relationship between access tokens and users
> such that a user can have many access tokens -- you'd then use context
> shifting of some kind in your application that establishes one of the access
> tokens belonging to the user is the "current access token." This will let
> your users context shift seamlessly. You'd obviously also have to ensure
> that the security of your application is such that a user never has access
> to access tokens that don't belong to them.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
> You'd handle this on your own back end. Using OAuth a user is never "logged
> in" -- there is no concept of a session or persistence -- it's all
> stateless. The association between your user and an access token is your
> own. If you want a user to be able to use multiple twitter accounts on your
> site, you would design a model relationship between access tokens and users
> such that a user can have many access tokens -- you'd then use context
> shifting of some kind in your application that establishes one of the access
> tokens belonging to the user is the "current access token." This will let
> your users context shift seamlessly. You'd obviously also have to ensure
> that the security of your application is such that a user never has access
> to access tokens that don't belong to them.
>
> Taylor Singletary
Abraham Williams
Apr 21, 2010, 3:49:05 PM4/21/10
to twitter-deve...@googlegroups.com
If you use oauth/authorize instead of oauth/authenticate they will be prompted by the allow/deny page everytime instead of skiping back to your application. Is that what you want to do?
Abraham
@abraham | http://projects.abrah.am | http://blog.abrah.am
Reply all
Reply to author
Forward
0 new messages