tips : using oAuth in iframe (web)
2,762 views
Skip to first unread message
Emre GÜLCAN
Sep 30, 2010, 9:36:29 AM9/30/10
to twitter-deve...@googlegroups.com
Hi all,
in couple of days I trying to move our basic Twitter applications to new API and authentication system oAuth. Because of our portal structure I have to use Iframe for Twitter application. Before oAuth there was no problem about that, but after move to oAuth, I get some errors (actually warnings) about oAuth and using iframe.
I think there are lot of developer know this issue and solved with different ways, but I'm beginner about Twitter API and oAuth.
After few search on Google and in this mail group I find some line, their main ideas is "oAuth doesn't allow to iframes because of (users) security". So what can I do for this? I have to use iframe... I saw some applications that making authentication on pop-up windows.
And I decided to move pop-up window to my oAuth page.
I'm developing with C# (.NET) and using Twitterizer (http://www.twitterizer.net/) library. You can find some code tips below;
in couple of days I trying to move our basic Twitter applications to new API and authentication system oAuth. Because of our portal structure I have to use Iframe for Twitter application. Before oAuth there was no problem about that, but after move to oAuth, I get some errors (actually warnings) about oAuth and using iframe.
I think there are lot of developer know this issue and solved with different ways, but I'm beginner about Twitter API and oAuth.
After few search on Google and in this mail group I find some line, their main ideas is "oAuth doesn't allow to iframes because of (users) security". So what can I do for this? I have to use iframe... I saw some applications that making authentication on pop-up windows.
And I decided to move pop-up window to my oAuth page.
I'm developing with C# (.NET) and using Twitterizer (http://www.twitterizer.net/) library. You can find some code tips below;
default.aspx (I'm calling it iframe on my website)
Yes "script" opens pop-up window and calls "callback.aspx" file (below)
string callbackUrl = string.Format("{0}://{1}{2}/callback.aspx", this.Request.Url.Scheme, this.Request.Url.Authority, this.Request.ApplicationPath);
OAuthTokenResponse tr = OAuthUtility.GetRequestToken(consumerKey.Trim(), consumerSecretKey.Trim(), callbackUrl);
Uri authUri = OAuthUtility.BuildAuthorizationUri(tr.Token);
Session["token"] = tr;
Session["authUri"] = authUri;
string script = "<script type='text/javascript'>window.open('" + callbackUrl + "', 'TwitteroAuth', 'status=1, location=1, resizable=0, width=800, height=400');</script>"; Page.RegisterClientScriptBlock("oAuthWindow", script);
Yes "script" opens pop-up window and calls "callback.aspx" file (below)
callback.aspx (calling it in pop-up window)
verifier = Request.QueryString["oauth_verifier"].ToString();
if (Session["token"] != null)
{
OAuthTokenResponse rsp = (OAuthTokenResponse)Session["token"];
OAuthTokenResponse accessToken = OAuthUtility.GetAccessToken(consumerKey.Trim(), consumerSecretKey.Trim(), rsp.Token, verifier);
OAuthTokens token = new OAuthTokens();
token.AccessToken = accessToken.Token;
token.AccessTokenSecret = accessToken.TokenSecret;
token.ConsumerKey = consumerKey;
token.ConsumerSecret = consumerSecretKey;
redirectUrl = string.Format("{0}://{1}{2}/default.aspx?token={3}&secret={4}&screen={5}", this.Request.Url.Scheme, this.Request.Url.Authority, this.Request.ApplicationPath, accessToken.Token, accessToken.TokenSecret, accessToken.ScreenName);
string script = "<script type=\"text/javascript\">var openerWindow = window.opener; openerWindow.location = \" "+redirectUrl+"\"; window.close();</script>";
Page.RegisterClientScriptBlock("oAuthReturn", script);
}
in this script I authenticate my user with oAuth and user allows my application on Twitter, and also I catch the "opener window" and refresh it with new Url that includes token and tokensecret hashes. My "opener" page is in iframe and just refreshing inside iframe (not all of page). And after that popup window closes itself.
I hope it'll be helpful to you someday :p
Regards from Turkey
Emre GULCAN
Application Developer
Emre GULCAN
Application Developer
Taylor Singletary
Sep 30, 2010, 11:23:12 AM9/30/10
to twitter-deve...@googlegroups.com
Please don't attempt to use IFRAMEs for Twitter's OAuth screens. What
you're trying to do is not permitted. OAuth screens loaded in an
IFRAME forfeit most authority and authenticity of Twitter asking for
credentials.. If you don't like the way the user is taken away from
your site, then please use a different form of authentication (such as
@Anywhere) -- or provide no Twitter integration at all. By embedding
the OAuth screen in an IFRAME, you not only put your application at
risk of being suspended, but every access token you've been issued
becomes suspect and must be disregarded.
you're trying to do is not permitted. OAuth screens loaded in an
IFRAME forfeit most authority and authenticity of Twitter asking for
credentials.. If you don't like the way the user is taken away from
your site, then please use a different form of authentication (such as
@Anywhere) -- or provide no Twitter integration at all. By embedding
the OAuth screen in an IFRAME, you not only put your application at
risk of being suspended, but every access token you've been issued
becomes suspect and must be disregarded.
There are times when you find that in a particular situation you
cannot accomplish what you want given the features, permissions, and
terms you're given. That is not an invitation to go around them to
still find a way to accomplish your goals.
Thanks,
Taylor
> --
> Twitter developer documentation and resources: http://dev.twitter.com/doc
> API updates via Twitter: http://twitter.com/twitterapi
> Issues/Enhancements Tracker:
> http://code.google.com/p/twitter-api/issues/list
> Change your membership to this group:
> http://groups.google.com/group/twitter-development-talk
>
Emre GÜLCAN
Sep 30, 2010, 12:23:28 PM9/30/10
to twitter-deve...@googlegroups.com
Hi Taylor,
Thanks for your answer. But I think you understand me wrongway.
I'm using my application with iframe (I have to do this ), but oAuth / Twitter authentication is on the pop-up windows (withouth iframe)
Application Developer
Taylor Singletary
Sep 30, 2010, 12:27:14 PM9/30/10
to twitter-deve...@googlegroups.com
Glad of that, Emre! Thanks for the clarification.
Reply all
Reply to author
Forward
0 new messages