So I am trying to let my customers login in with Twitter, and just twitter.
Twitter says "You should never store a password for your users again", but how am I going to reauthenticate my users with twitters API?
If I resend the user to twitter after they have deleted their session, twitter asks the user again if they want to give acces to my application.
Is it at all possible to have seamless intergration with twitter accounts without ever storing local user data?
EDIT
It seems that the question is not extremely clear. What I have experienced using for example http://forum.jquery.com/. They use OpenID. I click "Login with google". I get redirected to google. Google remebers I gave acces to Zoho once and instantly sends me back to forums.jquery.com, this time with an access_token for zoho to authenticate me with. I have no persistent data with Zoho. Yet they can log me in.
What twitter with OAuth does is the following. A user comes to my site, they click "Login with twitter" and get redirected to twitter.
Twitter asks them again whether they want to give the application access to their data. Instead of the immediate redirect google does.
Is it possible for twitter to immediatly redirect the user to me. Is there a setting for me I am overlooking.
Send users to https://api.twitter.com/oauth/authenticate instead of https://api.twitter.com/oauth/authorize. If the user is already signed into Twitter and has previously authenticated with your app they will be redirected without seeing an allow/deny prompt.
What you store from Twitter are the user's TOKEN and user's SECRET. Those values are issued by Twitter (or any oauth provider) when you are in the process of oauth authentication.
You can get the idea using this library in PHP:
https://github.com/abraham/twitteroauth
Or this one in Ruby:
https://github.com/jnunemaker/twitter
The process is quite straightforward once you tried with any real example. It is not difficult at all.
There are also some nice screencasts here:
http://railscasts.com/episodes/241-simple-omniauth
http://railscasts.com/episodes/235-omniauth-part-1
http://railscasts.com/episodes/236-omniauth-part-2
Have you actually read the API?
Read the getting started page, you don't store passwords you store access tokens for the user. And if you want people to log in and register your going to have to store some data ;-)
I had this problem exactly and solved it using setAuthorizedUrl method - for more details see here http://www.evilprofessor.co.uk/359-sign-in-with-twitter-using-zend-framework/
This tutorials might Helpful for you.
Twitter API connect using oAuth
Cristian comment is what I was looking for.
You have to save those values in any persistent storage, if not, your users will always need to go Twitter again.
Shame that twitter doesn't recognize that the users have already allowed my app and redirects automatically
Related
I have a problem to find the right way of implementing a login service.
First my environment:
An Android or IOS APP
My own web-api in PHP
Now the users have to login to get specific data from the api. So I have to check if the user is logged in with the API.
First i thought I could do this with JWT (JSON Web Token). But users with existing Google or Facebook account should also login to my side.
Is there a way to implement the login in PHP (the API site)? The most examples to login with Google or Facebook are simple Websites and not an APP with API.
How could I implement this login system?
Some time ago I thougt I could use GIT (Google Identity Toolkit). But now they switch to firebase and the website only contains examples for Webapps and Android/IOS.
Is there a common technique to do a login system like mine?
Do I have to implement OAuth2?
Oh. Besides the Google/Facebook login, there sould be a way to login with email and password.
I'm a little bit confused. It can not be, that I'm the only one with this problem. Or do I am a blockhead?
Yes, it is posible and it is well documented on the API's page.
For Facebook login, you can check this link.
For the Google's case, you should check this link
Side note: I know that I should quote the relevant parts of the link, but there are too much steps to follow, specially on the Google's case, so I haven't done it to avoid a huge block of quotes.
Solution:
Implement the Login in the Android- or IOS-App and get there the access token. Now send this token to the API. There you can check it and to everything you want with the Facebook-/Google-API.
I am doing a login with facebook on my website.
Unlike most logins I see....my users may already be signed up and later want to connect to their facebook. If they jump the gun and click 'login with facebook' when they already have an account on the website, they may end up creating a new account...which we don't want.
Instead, I have it set up so they login with facebook...and upon returning, check to see if the fbID or the fb email exists in the current db. If not...then present them with a login screen to login normally. At that time they will connect the two accounts. I have been researching for this quite some time and I am very surprised I don't see this method posted everywhere on the web. Seems logical to me.
To be clear, I use the FB JS SDK, to do the login with facebook popup. Then after the redirect, I use the FB PHP SDK to obtain the fb user ID and the users info from facebook.
Ok...so...one issue I have been having, is that after logging in with facebook...and then getting redirected back to a normal login screen, the facebook authentication is GONE when submitting normally. In order to finish connecting the two accounts in a secure manner, I would like to authenticate the user a second time before updating the database with their facebook ID.
In an effort to do this....I have decided to obtain the fb access_token with the first login, and then populate the normal login with the access_token. Then upon submitting normally, I can use the access_token to gain the user info with the php sdk and store the fb ID in my db.
However, is this safe? Passing the access_token in a form? Also...I noticed there was a way to obtain the "code" key, and use that to later obtain the access_token and the user_info. However, I am not sure how to obtain the "code" when using the fb JS sdk login.
Any thoughts on this would be greatly appreciated. I hope I was clear.
Thanks
You should never transfer the access_token between client and server. When somebody gets hold if it, they can perform actions for the user under your Apps name.
I'm not sure I understand what you mean with "the facebook authentication is GONE when submitting normally".
Have you read the guides on using Authentication with the PHP SDK? You can find them here: https://developers.facebook.com/docs/php/gettingstarted/4.0.0#authentication
Using the FacebookJavaScriptLoginHelper you can easily get the information from the logged-in user, using JS, to your servers.
For the JS SDK: https://developers.facebook.com/docs/javascript/quickstart/v2.1#login
I am trying to better understand the work-flow of the Twitter Oauth implementation. Currently, using Oauth to provide the user the ability to login to my site via Twitter, I can achieve the following:
Authorize my application via their Twitter account
get their oauth tokeh, oauth secret, and userid
store their token/secret/id in a MySQL table for future calls.
The part I'm having trouble with is understanding exactly how I can go about re-verifying the user with the saved token/secret/id instead of re-authorizing that user every time they choose to visit my site.
If I'm not mistaken, every time the user visits my site, they request a new token/key which invalidates the previous token/key. How do I allow them to log in again without the need to change these values in my table.
I understand that this could likely be class-specific, but I am looking for more of a step-by-step explanation of the process.
I can solve this easily with $_SESSION vars and cookies, but it seems like there should be a much simpler way.
Use authenticate API endpoint instead of authorize
I have a facebook application in my website. When someone is already logged in to my website, I have the offline_access of his facebook account, but when I put a like button, it always asks for login to facebook again.
Everything else works, like printing the posts, photos, etc. But the simple action of liking something, doesn't. How can I make it work using the php-sdk api?
I'm presuming that you have just used the like button code from here. What's happening when they click that button it's not going THROUGH your website but rather taking a bit with it to facebook. So it takes your URL to facebook and they do the whole posting bit... therefore if the client is not logged into facebook it'll ask them to login.
What you can do is use a curl posting script through your website and that should post whether they are logged into the facebook main site or not provided they logged in with the offline_access.
Please tell me if you need more information or if I have mis-interpreted what you meant.
Regards,
Jon
I guess you are misunderstanding the behavior of the offline_access permission:
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived.
This would mean, even if the user is logged off, your application will still have access to it's account BUT this DOES NOT mean that you can capture/monitor if the user is back on your website again until he is logged to his FB account again.
So offline_access will never know if the same user is currently on the page and "automatically" log him to his FB account!
I have followed the steps defined in the following link for twitter oauth implementation.
https://docs.google.com/View?docID=dcf2dzzs_2339fzbfsf4
Its working fine when i run through web browser but i want a user should be able to update status of twitter account through gmail chat i.e. he should only be authenticated once through web then he should be able to send the status message through gmail chat and his twitter account should be updated
How can i inegrate this because gmail id can be different from twitter id?
Please guide.
When you authenticate with twitter using oauth your given credentials you can store and use later when posting updates.
Try using this library,
http://emmense.com/php-twitter/
Cheers
This article had everything I needed to set up a Twitter-posting bot that authenticates with OAuth: http://masnun.com/blog/2010/04/30/setting-up-twitter-bots-with-oauth/
This might be help, I also face the same issue before, and it is now solved.
http://ruckuus.wordpress.com/2009/09/04/pecl-and-twitter-oauth/
Basically, after you ask a grant from user, then you access /access_token you will get authenticated oauth_token, and oauth_token_secret which is persistent. so further on you don't need access to access_token anymore if you already had these variables.
Storing it is very simple, either to put them in database, cookies (if you use web application) or in a plaintext.