Authorization/Authentication with twitter stateless?


#1

Hello,

I’ve searched the web and twitter API documentation about stateless/sessionless oauth process and haven’t found one.

Is there any way to use Twitter OAuth without the need for sessions.
F.e. what would be in case of load balancing or session hijacking?

Thanks!!


#2

Can you describe more about what you mean? Where do you want the lack of sessions or state, on the Twitter side or on your website’s side?

The OAuth sequence doesn’t require the use of sessions as far as I know. Since you can dynamically create your oauth_callback on the request token step, you can include everything you need to pick up state without a session by encoding it within the (signed) callback URL. Then when the user is redirected back to your site, the callback URL they land on contains all the information you need to identify them.

However, sessions would be very helpful in scoping access permissions for your current user.


#3

I already figured it out. I haven’t thought this through (kinda dumb and embarrassing on my behalf).
All the implementations I’ve seen are saving the request secret oauth token in the user’s session.
I object that since there can be a chance of session hijacking.
But if you remove the token from the session data after the authorization/authentication process completed, it’s not that big of a deal :slight_smile:

Thanks again !


#4

Is this still the recommended way to achieve this?

The implementation instructions say to store the oauth_token and oauth_token_secret at the redirection stage, and then to verify the oauth_token received at the callback stage.

Is there a secure way to do this by adding things to the callback URL (which appears to be what is suggested in this thread)? Surely it’s not safe to put the auth_token_secret in the callback URL – it’s secret, after all. It could be encrypted with a secret known only to the web application…?


#5

Looking again, I don’t think this is possible. The callback URL has to be given along with the signed call to /oauth/request_token. And it’s the response which would come back from this which has the data we’d need to encrypt and encode in the URL to statelessly retain it until the callback stage.

Am I missing something, or is this impossible to do statelessly?

To answer @episod’s question, by stateless we mean with no session or other storage on the server side corresponding to the current user.


#6

Honestly you’re talking about a ~6 year old discussion thread here - this is not something that I’m aware that Twitter had enabled in the mean time.


#7

Yes, I’m aware of the age and I’m aware that nothing has probably changed.

The ex-staff member who posted above never fully understood the question, and the person who opened the thread decided a (stateful) workaround would do. So there’s no resolution as far as I can see.

What I’m asking is whether there’s any stateless was to use the Twitter user authentication feature. I think not, but am asking out loud here because I could be wrong.

If there’s indeed no way, it would be nice if Twitter would finally catch up with the other authentication providers and provide OAuth2. I see in the feature request thread for that that people have been asking for it regularly since 2011.