OAuth2 Login Flow Redirect for already authorized users

KFol9 · 2022-03-02T23:45:00.396Z

Hello!

I’ve implemented a custom OAuth2 Authorization Code Flow with PKCE to obtain an authorization token by redirecting the user to Twitter’s login page: (see auth-2-0/authorization-code)

…/i/oauth2/authorize?response_type=code&…

My expectation when implementing this flow was the same as the documentation stated for the “Log in with Twitter” (guides/log-in-with-twitter#step-2).

Note: I am not using the “Log In with Twitter” flow but am referencing it.

Signed in and approved: If the user is signed in on Twitter and has already approved the calling application, they will be immediately authenticated and returned to the callback URL with a valid OAuth request token. The redirect to Twitter is not obvious to the user.

Signed in but not approved: If the user is signed in to Twitter but has not approved the calling application, a request to share access with the calling application will be shown. After accepting the authorization request, the user will be redirected to the callback URL with a valid OAuth request token.

Not signed in: If the user is not signed in on Twitter, they will be prompted to enter their credentials and grant access for the application to access their information on the same screen. Once signed in, the user will be returned to the callback URL with a valid OAuth request token.

In the current implementation 2 & 3 hold true, whereas 1. does not apply. Even though the user has already authorized my app, once they click “Login” from my webpage, they’ll need to re-authorize.

I understand the documentation I quoted is from OAuth and I am using OAuth2. However, ideally the OAuth2 redirect would be seamless as documented for the OAuth flow.

Is there a way with the OAuth2 Authorization Code Flow with PKCE to make the redirect to Twitter on already authorized app seamless?

A cross-reference do Discord’s OAuth2 login. As part of the Discord URL we direct the user to, one can pass a prompt query parameter to allow already authorized users to immediately redirect back.

prompt controls how the authorization flow handles existing authorizations. If a user has previously authorized your application with the requested scopes and prompt is set to consent , it will request them to reapprove their authorization. If set to none , it will skip the authorization screen and redirect them back to your redirect URI without requesting their authorization.

Thank you!

jessicagarson · 2022-03-03T01:11:42.831Z

Thanks for reaching out here. We’re just getting started with OAuth 2.0, and we’re hoping to continue building this out more. I’m going to go ahead and pass the feedback onto the team.

KFol9 · 2022-03-11T18:34:07.019Z

Hello

Thank you for passing on the feedback to the team! I was wondering if you had a roadmap on implementing this feature.

We are assessing whether or not we should instead rebuild and use the OAuth 1 flow meanwhile or wait for this to be available on OAuth2.

Thank you!!

jessicagarson · 2022-03-15T14:57:11.116Z

We don’t have an ETA or timeframe, but I’ll keep you posted if anything changes. You can additionally request this feature on our feedback tracker.

system · 2022-03-29T14:58:03.622Z

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.