PyKen
#1
I have successfully created custom policies on aad b2c to support login via twitter, which uses oauth 1. It works fine on desktop.
However, I have found that twitter users, who are required to provide additional authentication (due to suspicious acitvity?), are unable to login from a mobile device. This is reproducible on other websites, such as https://www.nicovideo.jp
Reproduction steps:
-
Go to https://www.nicovideo.jp
This should show up
-
Try signing up with a suspicious twitter account
-
If you are on desktop, you should be redirected and prompted to login through
this page (not shown if the user is logged in or is not suspicious).
Going down this road works fine.
Instead, if you are on mobile (or have a user agent along the lines of
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Mobile Safari/537.36
you will be redirected to
this page (api.twitter.com/login)
Currently, the only workaround seems to be to overwrite user agent to some value of a desktop. Is there any other way (via aad b2c) to solve this?
related: Webapp oAuth redirects to api.twitter.com/login and gets 404, but only the first time
unlike this issue, there is no jsessionid here
