[twitter-dev] PIN response in web-based OAuth app
Hey guys, I'm having a few problems with the OAuth API and my browser-based app - it's giving me PIN numbers at the /oauth/authorize page, even though it's set to return to a callback in the OAuth settings - I've rechecked my settings, and the application is definitely set as a browser app. I'm guessing this is something to do with the new PIN-based desktop app code, just wondering when it'll be fixed - or whether I'm doing something wrong! Thanks, Elliott
[twitter-dev] Re: PIN response in web-based OAuth app
Hey Matt, Yep, I'm passing oauth_callback - and it does look like that's the problem, because I have another app which doesn't send it, and it's working fine. Is this by design, or will it be changed back? I don't need it to use the oauth_callback url that I pass, but it'd be good to return to the specified callback URL by default. Thanks, Elliott On Jun 9, 11:17 pm, Matt Sanford m...@twitter.com wrote: Hi there, Are you by chance passing anything in to the request_token call for the value of oauth_callback? I checked out a few other services and they seemed fine. If you're sending oauth_callback=oob (a.k.a. out of band) then the system is forced into the PIN flow. We're working on docs for all of this now but let me know if that's what you're sending. — Matt On Jun 9, 2009, at 2:55 PM, Keith Hanson wrote: Same here, actually, for tweetingtoohard.com (tried to post here before but it looks like it got eaten :P) We've put up a snarky message in the meantime about the blunders :P But please do correct us if we have done something incorrect. -- Keith Hanson @big_love keith (at) tweetingtoohard.com On Jun 9, 4:47 pm, Elliott Kember elliott.kem...@gmail.com wrote: Hey guys, I'm having a few problems with the OAuth API and my browser-based app - it's giving me PIN numbers at the /oauth/authorize page, even though it's set to return to a callback in the OAuth settings - I've rechecked my settings, and the application is definitely set as a browser app. I'm guessing this is something to do with the new PIN-based desktop app code, just wondering when it'll be fixed - or whether I'm doing something wrong! Thanks, Elliott
[twitter-dev] Re: PIN response in web-based OAuth app
Sorry - having said that, I've removed the oauth_callback parameter and the behaviour is still persisting - and it also doesn't save the authentication so I have to hit Allow every time. On Jun 9, 11:21 pm, Elliott Kember elliott.kem...@gmail.com wrote: Hey Matt, Yep, I'm passing oauth_callback - and it does look like that's the problem, because I have another app which doesn't send it, and it's working fine. Is this by design, or will it be changed back? I don't need it to use the oauth_callback url that I pass, but it'd be good to return to the specified callback URL by default. Thanks, Elliott On Jun 9, 11:17 pm, Matt Sanford m...@twitter.com wrote: Hi there, Are you by chance passing anything in to the request_token call for the value of oauth_callback? I checked out a few other services and they seemed fine. If you're sending oauth_callback=oob (a.k.a. out of band) then the system is forced into the PIN flow. We're working on docs for all of this now but let me know if that's what you're sending. — Matt On Jun 9, 2009, at 2:55 PM, Keith Hanson wrote: Same here, actually, for tweetingtoohard.com (tried to post here before but it looks like it got eaten :P) We've put up a snarky message in the meantime about the blunders :P But please do correct us if we have done something incorrect. -- Keith Hanson @big_love keith (at) tweetingtoohard.com On Jun 9, 4:47 pm, Elliott Kember elliott.kem...@gmail.com wrote: Hey guys, I'm having a few problems with the OAuth API and my browser-based app - it's giving me PIN numbers at the /oauth/authorize page, even though it's set to return to a callback in the OAuth settings - I've rechecked my settings, and the application is definitely set as a browser app. I'm guessing this is something to do with the new PIN-based desktop app code, just wondering when it'll be fixed - or whether I'm doing something wrong! Thanks, Elliott
[twitter-dev] Re: PIN response in web-based OAuth app
Surely this is all moot anyway - can't the OAuth process just redirect if the application only accepts callbacks? We set a preference for callbacks in the OAuth settings, so why are we being forced into PIN verification? On Jun 10, 12:46 am, lebreeze lebre...@gmail.com wrote: I managed to get the old behaviour back by modifying the oauth gem to not set a default oauth_callback (oob) For some reason the twitter-auth gem is not passing over the configuration to override the default I'm too tired to investigate further at the minute but will keep looking in the morning (GMT) On Jun 10, 12:16 am, Matt Sanford m...@twitter.com wrote: Hi there, I just checked the tokens generated on several of these services and I see oauth_callback was set to oob. Doug is working on the docs right now to make it clear how all of this shakes out. The end result is that if you want to use the pre-configured callback url don't send an oauth_callback parameter at all. If you're seeing this error but are not sending the oauth_callback parameter please email me off list with a copy of the URL, headers and body where you make the request_token call so I can try and debug the issue. It doesn't seem to be all apps which is what I would expect in the case of a bug. Thanks; – Matt Sanford / @mzsanford Twitter Dev On Jun 9, 2009, at 3:53 PM, lebreeze wrote: I'm seeing exactly the same behaviour and it just started happening a few hours ago App ishttp://moodmapr.com Users just cannot login but instead are provided with a PIN On Jun 9, 11:37 pm, Keith Hanson seraphimrhaps...@gmail.com wrote: I'm actually not using an oauth callback parameter and am getting this behavior. I'm running on Sinatra at the moment, but have implemented my login routine by pretty much copy/pasting the Rails tutorial in the API Wiki. I'm using the gem OAuth 0.3.5 for redirecting and what-not. I did take a look at the redirect url, though, and didn't see any oauth_callback params set. It sounds as if they shouldn't be there anyways, correct? On Jun 9, 5:28 pm, Elliott Kember elliott.kem...@gmail.com wrote: Sorry - having said that, I've removed the oauth_callback parameter and the behaviour is still persisting - and it also doesn't save the authentication so I have to hit Allow every time. On Jun 9, 11:21 pm, Elliott Kember elliott.kem...@gmail.com wrote: Hey Matt, Yep, I'm passing oauth_callback - and it does look like that's the problem, because I have another app which doesn't send it, and it's working fine. Is this by design, or will it be changed back? I don't need it to use the oauth_callback url that I pass, but it'd be good to return to the specified callback URL by default. Thanks, Elliott On Jun 9, 11:17 pm, Matt Sanford m...@twitter.com wrote: Hi there, Are you by chance passing anything in to the request_token call for the value of oauth_callback? I checked out a few other services and they seemed fine. If you're sending oauth_callback=oob (a.k.a. out of band) then the system is forced into the PIN flow. We're working on docs for all of this now but let me know if that's what you're sending. — Matt On Jun 9, 2009, at 2:55 PM, Keith Hanson wrote: Same here, actually, for tweetingtoohard.com (tried to post here before but it looks like it got eaten :P) We've put up a snarky message in the meantime about the blunders :P But please do correct us if we have done something incorrect. -- Keith Hanson @big_love keith (at) tweetingtoohard.com On Jun 9, 4:47 pm, Elliott Kember elliott.kem...@gmail.com wrote: Hey guys, I'm having a few problems with the OAuth API and my browser- based app - it's giving me PIN numbers at the /oauth/authorize page, even though it's set to return to a callback in the OAuth settings - I've rechecked my settings, and the application is definitely set as a browser app. I'm guessing this is something to do with the new PIN-based desktop app code, just wondering when it'll be fixed - or whether I'm doing something wrong! Thanks, Elliott
[twitter-dev] Re: Proof of identity rather than authorization
Well, on my site I'll say something like If you're logged in to Twitter already, click here to log in. It works the same way as with OpenID. If they aren't logged into Twitter, they're prompted for their username and password at Twitter's site. Then they're taken straight back to mine. If they want to log in as another user, they have to log out of Twitter - the same way I have to log out of Google to use a different OpenID account. On Mar 27, 3:23 pm, Chad Etzel jazzyc...@gmail.com wrote: On Thu, Mar 26, 2009 at 7:30 PM, Elliott Kember elliott.kem...@gmail.com wrote: If you don't have a database storing the access tokens or indefinite sessions on your webserver storing them, then the user will have to login everytime. There's no way to get an access token without users going through the OAuth detour. -Chad That's true - but what if the OAuth detour recognizes that the app is already registers, and invisibly allows the authorization, and redirects them to the callback url? For a web-app, this is perfect - it's an invisible roundtrip, similar to OpenID's one. The user probably wouldn't even notice. I guess that would work if the user is already logged into twitter's website and has an active cookie/session going on... but what if they want to login as another user? The auto-callback wouldn't let them do that... They'd have to log out of twitter's website first, but how would they be informed to do that? -Chad In effect, I'm re-authorizing every time, and getting a new access token each time. This will only work for web-apps - but the upside is, a single button-click and you're logged in. Won't have read only access accomplish this? You can check verify_credentials and never check anything else... but the OAuth login flow remains the same.. Sort of - but read-only access can still read DM messages, right? I'm not sure that's necessary for just logging in. On Mar 26, 9:11 pm, Graeme Foster grae...@gmail.com wrote: 2009/3/26 Chad Etzel jazzyc...@gmail.com If you don't have a database storing the access tokens or indefinite sessions on your webserver storing them, then the user will have to login everytime. There's no way to get an access token without users going through the OAuth detour. -Chad In my case I want the client app that is getting and storing its own token to be able to hand something to my web service so the user doesn't have to authorize twice. G.
[twitter-dev] Re: Proof of identity rather than authorization
No - they don't log in before I request authorization. I get their access token without having any idea who they are. That's what I'm trying to avoid - I don't want to have any login stuff on my side so the login is as easy as possible. On Mar 26, 9:45 am, GraemeF grae...@gmail.com wrote: If they have to log in before you request authorization, can't you just store the token with the login credentials (in your db) and use it next time? G. On Mar 25, 8:19 pm, Elliott Kember elliott.kem...@gmail.com wrote: Well, I've had it working for a while now using Rails. All this solution needs is an Always authorize this app button. The way I do it is: I request an OAuth token, and then call verify_credentials with it to find out who they are. It seems to work fine, except it forces the user to click Allow every time they log in.
[twitter-dev] Re: Proof of identity rather than authorization
Cool - yeah sorry about that. I meant to say the next time they try to access their account. It'd be even better if there were another level of OAuth permissions - authorization only - which just lets you log in using the account, and only lets you call verify_credentials. Am I the only one that thinks this could be really cool? What are the downsides? On Mar 26, 5:07 pm, Graeme Foster grae...@gmail.com wrote: 2009/3/26 Elliott Kember elliott.kem...@gmail.com No - they don't log in before I request authorization. I get their access token without having any idea who they are. That's what I'm trying to avoid - I don't want to have any login stuff on my side so the login is as easy as possible. I see - exactly the same problem as me then. When you said they log in I incorrectly assumed you meant to your app. G.
[twitter-dev] Re: Proof of identity rather than authorization
Well, I've had it working for a while now using Rails. All this solution needs is an Always authorize this app button. The way I do it is: I request an OAuth token, and then call verify_credentials with it to find out who they are. It seems to work fine, except it forces the user to click Allow every time they log in. Here's my code: http://pastie.org/private/wxii1xiujjndzwtl0xxdma On Mar 23, 12:38 am, Ed Finkler funkat...@gmail.com wrote: On Mar 22, 6:17 am, GraemeF grae...@gmail.com wrote: Hi Elliott, This scenario worked well with basic authentication; you could just delegate the login to Twitter. Now I don't see a way to do it without requiring the user to create another account so that the token can be associated with it. Well, Basic Auth still works *now*. I've personally advocated it not go away ever. If you agree, you may want to make this preference known. -- Ed Finklerhttp://funkatron.com Twitter:@funkatron AIM: funka7ron ICQ: 3922133 XMPP:funkat...@gmail.com
[twitter-dev] Re: Proof of identity rather than authorization
Hi Graeme, I think I'm doing a similar thing - I want to use Twitter as the registration and login process for my app. Right now, Twitter asks for approval every time the user logs into the account. Is there a way to say remember this application and then always accept auth requests from that application in future, like OpenID does? Long story short, I'm using OAuth like OpenID. Sorry to hijack your thread, but I think we're after the same thing. Thanks, Elliott On Mar 21, 11:35 am, GraemeF grae...@gmail.com wrote: I have an application that does not need access to anything in or do anything to a Twitter account, it just wants proof that the user owns the account. This doesn't seen to fit with OAuth; the app needs proof of identity rather than authorization, so in fact OpenID would be more suitable than OAuth. Ideally I would be able to get the username and user id from the Twitter API without getting authorization for anything else. What's the best way to tackle this? Cheers, Graeme.