Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Twitter displays authorization dialog every time #29

Open
aderesh opened this issue Dec 25, 2022 · 1 comment
Open

Twitter displays authorization dialog every time #29

aderesh opened this issue Dec 25, 2022 · 1 comment

Comments

@aderesh
Copy link

aderesh commented Dec 25, 2022

Every time I call my passport.authenticate("twitter",...) for the same user, Twitter shows me the standard App wants to access your Twitter account. page. I do see my app in the Connected apps setting with the scopes I requested but still, the authorization page is shown every time.

The authorization page is shown one time only when I use passport-google-oauth20 or passport-facebook. With every subsequent passport.authenticate(...) call it just calls the redirect/callback without showing anything to the user. I would expect the same behaviour for Twitter. Is it possible to achieve this behaviour?

Version: 1.2.2

My configuration:

import { Strategy as TwitterStrategy } from "@superfaceai/passport-twitter-oauth2";
....
  passport.use(new TwitterStrategy({
    clientID: TWITTER_CLIENT_ID,
    clientSecret: TWITTER_CLIENT_SECRET,
    callbackURL: "/auth/twitter/redirect",
    clientType: "confidential"
  }, async (accessToken, refreshToken, profile, done) => {
    console.log("> twitter profile: ", profile);
    ///.....
  }));
router.get("/twitter", passport.authenticate("twitter", { scope: ['tweet.read', 'users.read'] }));

router.get("/twitter/redirect", passport.authenticate("twitter"), (req, res) => {
  res.status(200).json({ success: true });
});

Btw, thanks for the amazing library!
@jnv
Copy link
Collaborator

jnv commented Dec 25, 2022

Hi @aderesh! To my knowledge, whether the authorization dialog is shown to the user is completely controlled by the provider. I don't know about any specific parameter or other way to prevent the dialog from showing up (see the docs), but it's possible we're missing something – and then I'd be happy to fix it. If you know about some other Twitter OAuth 2.0 client library where this works as expected, I'll take a look.

If it's feasible for your project, you can prevent user reauthorization by requesting a refresh token and keeping the access token refreshed.

  • Add offline.access scope to your authenticate call
  • In you verify callback, you will receive refreshToken
  • You can use the refresh token to issue a new access token (see docs, you can use e.g. passport-oauth2-refresh or our OneSDK)
    • in my testing the refresh token was valid for a few days (while access token is valid only for ~2 hours)

You could either refresh the access token periodically, or try to refresh it as a last resort before forcing a reauthorization.

Keep in mind that unlike with other providers, refreshing invalidates both the old access token and the old refresh token, you will get both anew.

@jnv jnv changed the title As a user, I have to Authorize the App every time I initiate log in (i.e. passport.authenticate("twitter",...)) Twitter displays authorization dialog every time Dec 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jnv @aderesh