Do I have to share the twitter consumer key and consumer secret for reverse auth?


#1

I have a mobile app that uses https://dev.twitter.com/docs/ios/using-reverse-auth to obtain a user’s access token and access token secret. When I ship those to my server and try to authenticate with Twitter, it only works if the mobile app shares the same consumer key and secret. This can’t be right.

Is this a bug in my implementation somewhere or is this by design?

I’ll debug and possibly get a detailed repro if this is not by design.


#2

The applications should be one and the same. Reverse auth is really meant for “services” that have “client applications” – the client application is an extension and representation of your service, but the relationship between your application and the Twitter user is really one between the Twitter user and your service. The access tokens you’re “phoning home” to your server need to be associated with the application record that represents your service, so you can persist them and move freely between using them server-side or client-side.


#3

Thanks, we’ll do that.

Note that FB does something different and maybe you guys want to revisit this. They give you a single token that can be shared across applications for authentication. This means you can cut off a client without cutting off the service.

If you also think about it - a third-party may develop an application that logs into your service and they want to leverage the nice sign-in without having to use web views, would you really want them to run with the same client IDs?