OAuth Suggestions

4 views
Skip to first unread message

Coderanger

unread,
Aug 3, 2009, 2:55:16 AM8/3/09
to Twitter Development Talk
I am looking into adding OAuth authentication to twitcher (http://
coderanger.com/twitcher), my twitter client, and have a couple of
suggestions:

1. The authorisation page at twitter.com, isnt particularly clear as
to the account being authorised. This could be an issue with users
authorising multiple accounts from an app. Can I suggest it is split
into paragraphs and the account name is added to the heading, like:
~~~~~~~~~~~
An application would like to connect to your '<accountname>' account.

The application twitcher by Coderanger.com would like the ability to
access and update your data on Twitter. This application plans to use
Twitter for logging you in in the future.

Sign out if you want to connect to an account other than
<accountname>.
~~~~~~~~~~~

2. It would be useful if you could pass the username up to the
authorisation page along with the authorisation token. Then at your
side, if the username is different to the one currently signed in, you
can auto sign out and place the new username passed into the username
text input ready for signing in by the user. I think this will improve
workflow for the customer where multiple-accounts are involved, but
also when upgrading a system that has been using BasicAuth, and avoid
potential confusion and mistakes. I dont think there can be any
security implications for doing this so it would be a possible change
should you so desire.

Thanks

Josh Roesslein

unread,
Aug 3, 2009, 3:17:53 AM8/3/09
to twitter-deve...@googlegroups.com
1. I think the current text makes it clear which account is being used.
2. Not sure I like the idea of auto sign out. Maybe instead if the username is provided
    as an additional parameter twitter will display the login prompt with the username provided.
    The the user just enters their password and authorizes the app. This way the browser cookie
    for the currently active session is not affected and will remain active.

A suggestion I might make is not asking for the user's twitter username before authorization. Instead
have the user go to twitter and authorize which account they want. Then when they return back and you
get the access token then detect which username is being used if you need it. You could even double check
with the user that this is the account they want.
--
Josh

Coderanger

unread,
Aug 3, 2009, 3:51:48 AM8/3/09
to Twitter Development Talk
> 1. I think the current text makes it clear which account is being used.
I do beg to differ, I have made the mistake of authorising the wrong
account during the testing. If the account was in the heading and/or
an extra paragraph was used in the text to split it up .. they are
separate paragraphs gramatically anyway then this can be
alleviated ... for the case of two tiny changes I dont think its worth
not doing as no harm can be done.

> 2. Not sure I like the idea of auto sign out. Maybe instead if the username
> is provided
>     as an additional parameter twitter will display the login prompt with
> the username provided.
>     The the user just enters their password and authorizes the app. This way
> the browser cookie
>     for the currently active session is not affected and will remain active.
Sounds fine to me

> A suggestion I might make is not asking for the user's twitter username
> before authorization. Instead
> have the user go to twitter and authorize which account they want. Then when
> they return back and you
> get the access token then detect which username is being used if you need
> it. You could even double check with the user that this is the account they want.
Yes, I will be doing that for new accounts, but I wish to upgrade
existing accounts (its not a new app and there are lots of existing
users) ... this could cause confusion if they authorise the wrong
account which the app was expecting, but yes I was going to verify the
authorisation using the returned user name but its a potential
confusion that could be avoided; I just thought it might add an extra
useful path on the workflow and help allow the app to control a little
part of it.

Jesse Stay

unread,
Aug 3, 2009, 9:11:34 AM8/3/09
to twitter-deve...@googlegroups.com
This would be helpful for us, too. It's one of the biggest customer support issues I have now that we're using OAuth.

Jesse

Andrew Badera

unread,
Aug 3, 2009, 12:55:54 PM8/3/09
to twitter-deve...@googlegroups.com
++ Likewise. "Sign in with the account you intend to associate with our service" just doesn't click. The process itself is already bewildering to a lot of people.

--ab
Reply all
Reply to author
Forward
0 new messages