Does a Suspended Account Impact Registered Oauth Applications?

MikeEEE · 2022-02-26T15:24:09.470Z

I have recently deployed an application featuring Twitter Oauth.

My question/concern is that since my service/application is geared towards artists, and well, artists can be expressive and speak their minds. Speaking from experience here. As such, they tend to get their accounts suspended/banned for things they say on Twitter.

When that occurs, does this suspension impact their sign-in with my application as well with Oauth? That is, is a suspended Twitter (main site) user also suspended from using my application as well via their Twitter Oauth registration?

Thank you for any assistance/insight you can provide.

IgorBrigadir · 2022-02-26T20:40:06.801Z

MikeEEE:

is a suspended Twitter (main site) user also suspended from using my application as well via their Twitter Oauth registration?

As far as i know, yes

MikeEEE · 2022-02-26T21:30:57.771Z

IgorBrigadir:

As far as i know, yes

Thank you for your reply. That is my assumption/expectation as well, but I have not found any actual documentation to confirm this, which is what led me here. Do you by chance have a resource that provides additional information around this?

MikeEEE · 2022-03-03T17:26:35.234Z

Hello again,

I wanted to check in with this issue. Is there a way we can escalate this to someone who would know to provide a more definitive answer?

This does pose a larger question for those applications dependent on OAuth2. Perhaps something to address in OAuth3. Consider that I am running a business where money is being transferred from these accounts, and these accounts can store value. If they are blocked for something that did not occur on my site/application, then this becomes a problem when they start complaining to me about not accessing their accounts and associated stored value.

Currently, the recommendation is to “chain” another OAuth2 provider (e.g. Microsoft/Google), but this is complex and not ideal.

It would be great to get clarity around this. Thank you for any continued assistance you can provide.

IgorBrigadir · 2022-03-03T17:47:10.574Z

I’m not twitter so i definitely can’t speak for that.

MikeEEE · 2022-03-03T18:22:31.041Z

No worries @IgorBrigadir I appreciate you taking the time and letting me know. I figured you are not a direct agent for Twitter (but if you were all the better ). Rather, I was hoping we could escalate it somehow to find out. As these threads appear to lock after only 14 days, that does sort of put a timer on things to find out, hence my urgency. I guess I can nag-bump here until it’s resolved.

FWIW I have tried pinging TwitterDev on Twitter itself in the past, but it seems they are so overwhelmed that they cannot answer.

abraham · 2022-03-03T18:29:08.803Z

If your concerned about third party authentication locking users out of your site, you should provide email/password as an authentication method.

MikeEEE · 2022-03-03T19:18:42.191Z

Thank you for the reply @abraham. I am aware of email/password but I, unfortunately, find them more trouble than they are worth. Doing so forces me to be a custodian of information that can be hacked/leaked/sold.

MikeEEE · 2022-03-08T11:20:03.485Z

I have been thinking about this further, and @abraham does provide an interesting path to explore.

Note that in addition to the issues mentioned earlier, email/password as an authentication method allows for actors to automate account creation, which is arguably just as bad as storing information that can be targeted by breach. While I could attempt to protect from this scenario by way of CAPTCHA, it is not well liked and hinders overall experience (there are Gieco commercials being made making fun of it, after all).

I would very much prefer to simply route that to the Oauth2 provider as they are much better aware, prepared, and hardened for such a scenario. Not to mention, they provide better protection with the use of SMS/phone and the like.

OK that stated, while Email/password is not an authentication method for my system, I do allow users to register email addresses for notifications (note that this is opt-in and not forced on the user upon sign-in).

Additionally, I do offer the ability to register a two-factor application such as Authy. So the idea is: if authentication occurs and is successful via Oauth2 provider, but the profile is suspended/blocked, then I would offer a screen that allows the user to further confirm via registered email or 2FA. If either of these methods pass, then the user is marked as authenticated for their current session.

However, testing this is a bit tricky. I would ideally need to create a profile and set it to suspended status and test from there.

(Also note that it is still unclear if this issue even exists as no one has been able to conclusively state what exactly happens when a profile is in a suspended state. )

Any further guidance/suggestions would be appreciated.

MikeEEE · 2022-03-15T20:09:50.752Z

FWIW branching this issue out for amplification/assistance:
(I cannot post actual links boo)

github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

Question: Guidance on Suspended Accounts?

opened 08:07PM - 15 Mar 22 UTC

Mike-E-angelo

To start with here, I recently deployed a project -- nay, startup! 😁 -- with sev…eral providers from this project mentioned (along with what feels like half of NuGet!) in my acknowledgements here: https://alpha.starbeam.one/about/acknowledgements Additionally, I go on and on how awesome OAuth/2 is here, giving a shoutout to this project here: https://www.youtube.com/watch?v=KRmf8IWpOmo&list=PLMq1y8QwgsyoQUspInuhBXiHoXrcKDacb&index=5 That stated, I wanted to explore a problem that I have run into with Oauth/2 and see if I can get some assistance around it. The problem is around suspended accounts. For instance, if someone connects to my application via Twitter Oauth (most likely scenario) and then violates a policy on Twitter (that is, the violation does not occur on my application or with its policies), what happens to their connection to my application? Are they also banned/suspended and not able to authenticate? This is unclear to me and, with concern, it is also unclear to the Twitter community, as seen here: https://twittercommunity.com/t/does-a-suspended-account-impact-registered-oauth-applications/167376/ The assumption is that if the hosting provider suspends the account, it also impacts all registered connections along with it. However, this is not verified in any documentation anywhere and I am having trouble confirming this. Additionally, the possibility exists that different platforms might handle this in different ways. As seen in the above link, no one seems to know (again, sort of concerning), so I am branching out here to see if someone here might know or can find someone who knows. As I mentioned there, I can attempt mitigating by way of faking a suspended account, but no one seems to know anything about that, either. If anyone has any experience/guidance around this, it would be greatly appreciated. Note that as I state in the video to "backup" identity by way of "chaining" another Oauth2 provider (or using two separate accounts: professional/personal), but this adds complexity and would rather avoid that if possible. Thank you for any insight/conversation you can provide and keep up the great work out there. 👍

MikeEEE · 2022-03-22T09:55:01.633Z

Bumping for awareness.

MikeEEE · 2022-03-24T14:14:10.922Z

Well the folks at aspnet-contrib aren’t really all that aware of what happens on a suspended account, either.

I am half-way tempted to create a burner account and partake in some dubious activities to get to the real dirt on this topic.

It’s super surprising that no one really knows anything about this…

MikeEEE · 2022-03-29T11:54:18.866Z

It’s super surprising that no one really knows anything about this…

*Bumping for awareness*

MikeEEE · 2022-04-05T08:09:41.509Z

MikeEEE:

Bumping for awareness

Bumping for awareness

MikeEEE · 2022-04-12T06:33:00.047Z

MikeEEE:

Bumping for awareness

Bumping for awareness

MikeEEE · 2022-04-13T20:11:41.307Z

MikeEEE:

Bumping for awareness

Bumping for awareness

abraham · 2022-04-13T23:03:15.516Z

There is existing reports that suspended users can not authenticate with your app.

Can suspended Twitter accounts use Sign in with Twitter Standard APIs v1.1

We are using the Sign-In with Twitter API with Firebase Auth. Some of our users have been suspended on Twitter and say they cannot login to our service. Do suspended Twitter accounts get blocked from authing into Firebase Auth?

MikeEEE · 2022-04-13T23:12:00.469Z

abraham:

There is existing reports that suspended users can not authenticate with your app.

Bummer… I don’t like the answer, but I definitely like and appreciate you taking the time to help out, @abraham. I’m like @dragon_khoi and would like to see if there’s some way of getting this rectified/addressed/changed/improved. As more and more sites onboard to Oauth this is going to become more and more of a concern, especially if you are keeping people from being able to access stored value/monies.

It would also further be useful/valuable to be able to test with a configured suspended/banned account to validate our own user signin experiences.

MikeEEE · 2022-04-14T08:45:03.640Z

Moved my new question here:

Best Way to Test Oauth Authentication with a Banned/Suspended User? Twitter API v2

This is a continuation of this thread: As there are reports as soon as last August that suspended Twitter users cannot access the applications that they have registered – despite both sites having different policies – the next best course of action would be to test this scenario for a client application and provide a way for a recovery/backup authentication. What is the best way to test Twitter Oauth authentication with a suspended/banned user? Thank you in advance for any assistance you can…

Thank you again to @abraham + @IgorBrigadir for all your help here.