OAuth Revoke Token?
853 views
Skip to first unread message
Ryan Amos
Apr 8, 2010, 12:59:28 AM4/8/10
to Twitter Development Talk
Is there anyway to send a request to revoke a token completely without
requiring the user goto their connections page on twitter?
requiring the user goto their connections page on twitter?
We allow our users to revoke access via our application, but that only
revokes it on our side. The application would still show up on their
twitter.com connections page.
Google has one by sending a request to:
https://www.google.com/accounts/accounts/AuthSubRevokeToken
Josh Roesslein
Apr 8, 2010, 3:06:19 PM4/8/10
to twitter-deve...@googlegroups.com
There is no API endpoint that I know of and don't think one should exist. Users should not trust
thirdparties to self-revoke access to their accounts. Users should know how to do it from twitter.com
via the connections page. It might be nice if we could generate a redirect link to a page on twitter.com
where the user can then revoke the access (sort of like the authorization page).
Josh
--
To unsubscribe, reply using "remove me" as the subject.
Mike Repass
Apr 8, 2010, 3:23:23 PM4/8/10
to twitter-deve...@googlegroups.com
A scenario for justifying invalidateToken:
- User visits AwesomeApp and wants to connect his Twitter account
- AwesomeApp redirects to Twitter's OAuth flow
- User fails to notice that someone else, UserX, is already logged in to Twitter in the current browser and clicks through
- AwesomeApp detects (somehow, perhaps later) that the wrong Twitter user is connected. They can be a good citizen and revoke the token completely, then send the user back through a full OAuth flow that asks for username/password regardless of sign-in state.
Just my $0.02,
Mike
Abraham Williams
Apr 12, 2010, 3:51:38 PM4/12/10
to twitter-development-talk
This seems like to much of an edge case for Twitter to spend resources on.
Abraham
--
Abraham Williams | Developer for hire | http://abrah.am
PoseurTech Labs | Projects | http://labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Abraham Williams | Developer for hire | http://abrah.am
PoseurTech Labs | Projects | http://labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Abraham Williams
Apr 12, 2010, 3:53:51 PM4/12/10
to twitter-development-talk
This seems like too much of an edge case for Twitter to spend resources on. You can always include &force_login=true to always prompt the user for credentials.
Abraham
On Thu, Apr 8, 2010 at 12:23, Mike Repass <mike....@gmail.com> wrote:
Raffi Krikorian
Apr 12, 2010, 4:04:32 PM4/12/10
to twitter-deve...@googlegroups.com
additionally, in oauth 2.0 we will have the ability to set expiration dates for tokens, so after a certain time periods, tokens could just automatically expire.
i rather not have an actual API that would expire a token as that seems like an interesting attack vector.
Reply all
Reply to author
Forward
0 new messages