After adding Twitter #Anywhere to a site, a user can log in just fine, but after 2 hours, their sessions have expired. Can't seem to find anything on the wire that references twitter anywhere session durations.
There's no way to override the cookie expiration via the API as this post to the Twitter Anywhere Development Google Group details.
In the thread, Matt Harris, one of Twitter's developer advocates summarizes:
#anywhere doesn't share the
twitter.com login but instead is a
user authorised connection - much
like OAuth apps. But, unlike OAuth
apps, #anywhere is purely web-based so
doesn't provide access beyond the
current session.
If you want to
provide a logged in system you would
need to use your own session
management code. To use Twitter as the
identity provider you might want to
consider "Sign in with Twitter"
instead though.
Related
I'm trying to write a CLI script (ruby) to manage my youtube videos. Technically I'm updating a script that I used in 2012 to do this. It appears that since 2012, youtube has discontinued the simple client authentication mechanism and moved to OAUTH2 (though I'm not totally sure).
I'm wouldn't be the first to say that OAUTH2 is hell (just google it). It's been 3 hours and I still haven't gotten my old script to even authenticate with google (using the youtube_it ruby gem).
I simply do not understand why I would need to use OAUTH to access my own account on Google? What am I missing? I thought OAUTH was so that separate users could give access to applications to temporarily access their data.
Is there another way? What am I missing. As one blogger commented OAUTH2 is enough to make one want to change careers. Even the lead dev quit the project.
The Youtube API docs is specific in stating that if you're going to use Youtube API (or other Google APIs), you must learn how to use OAuth:
If your application will use any API methods that require user
authorization, read the authentication guide to learn how to implement
OAuth 2.0 authorization.
Youtube has a Ruby Quickstart sample which includes the OAuth process.
I simply do not understand why I would need to use OAUTH to access my own account on Google?
I think OAuth answers exactly that question, "how will Google products know if you are who you claim to be?"
Read the OAuth Google guide for more info.
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and google. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
for more detail study :-
https://www.rfc-editor.org/rfc/rfc6749
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I am providing my Google Apps Domain users content via Google Sites.
Furthermore I have 3rd party content which I would like to integrate. This content needs to be secure and available only to the Google Apps Domain users.
I have implemented openid which authenticates that the users are from my domain. I consider the users to be "stupid" so I wish to avoid any access request pages, which also makes my site look rather unprofessional / unpolished.
I can see the security setting under my personal account here:
https://www.google.com/settings/security
Is there anything in the SDK which will allow me upon user creation to add the necessary account permissions?
Hypothetically if you can host your 3rd party content on Google app Engine (GAE) and all your users reside in your Google Apps Domain it is possible to set Authentication Type to "Google apps Domain" More about GAE authentication can be found here
Do not forget to deploy GAE under same Google apps Domain account
Authorization protocols like OpenID and OAuth have been deliberately designed to require explicit user confirmation of access privileges. Any mechanism that bypassed user intervention would effectively be a security exploit. I'd recommend you save yourself time and frustration by accepting that you're not going to get around that interstitial authorization page.
For better or worse, scope authorization pages have become a well-established part of the modern web application landscape. Users these days routinely confirm authorization dialogs for Facebook, Google+, LinkedIn, and Twitter access without batting an eyelash. Your less savvy users may not recognize it as such, but using existing security mechanisms is a sign of greater professionalism than rolling your own.
I am planning to allow users to login to a website I am developing using their social network logins. Probably using one of the multi-provider services such as Janrain, OneAll, LoginRadius. What I want to know is, if a user of my site is already logged into their social network site when they visit my site, how do I go about automatically signing them in? The example I have come across that does this is goodreads.com.
I've developing in ASP.NET MVC3 but I would welcome any explanations/examples on how I go about this in any technology or even just the theory.
I'm working at OneAll and I'm glad to answer your question.
After a user has logged in with Social Login, you create a new account in your database, you log the user in and you set a cookie.
When the same user comes back in a couple of days, you detect that he has a cookie and you use the cookie information to automatically log him him and you refresh the cookie.