Minimal (or null) scope for Twitter Authentication using OAuth2

zroiy · 2022-10-17T08:06:12.917Z

Hi there,
I want to build a new online service that relays on users to authenticate with their twitter ID. I don’t require anything but their ID. No need for their tweets, follows, lists, etc. Just to have them identify with their twitter handle. I’m currently using the Oauth2 with the most minimal scope I could have reached by just asking for ‘users.read’ scope, but that still requires the users to consent to my service to access " Any account you can view, including protected accounts." which I actually don’t need.

Is there a way to rely on twitters excellent network and have it scoped down identify the users for me without asking for any user information other than their twitter account IDs.
I tried playing and omitting the scope values without any success.

Thanks

IgorBrigadir · 2022-10-17T14:06:57.607Z

I think tweet.read and users.read are currently the minimum scopes you can get away with. Would be great to only have a single restricted “login only” one maybe.

The formal way to propose changes to the API is here: GitHub - twitterdev/open-evolution: Open evolution proposals for the Twitter API if you want to get someone from twitter to consider it.

zroiy · 2022-10-17T17:29:05.990Z

Thanks Igor for confirming that it’s not possible. I feared I just missed some of the api options.
Will also follow your suggestion to ask for it on the github page.

abraham · 2022-10-17T18:05:17.708Z

Try using only offline.access as a scope. Modifying the Step 2 example url seems like it works.

zroiy · 2022-10-17T19:47:39.388Z

Thanks Abraham. This might be slightly better than the users.read permission. I’ll give it a go and see how it works out. It still shows somewhat of a cryptic information in the consent form (see bellow) which may discourage potential users who are concerned as to what the app might really get access to.

image750×272 10.8 KB

For me, the ideal would be a scope that clearly states that the only thing that the app gets is your twitter login name (and maybe the twitter userid number) and that’s it. For example github has the user:email (which only exposes the user email address) and google has user:email which also just shares the user’s email in their respective OAuth2 scopes

Hope we can this functionality with twitter’s API in the near future as well.

system · 2022-10-31T19:48:26.538Z

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.