Closed keibro closed 11 years ago
splix
commented
11 years ago It's required to always redirect to Twitter (a lot of reasons, for example user have changed password, or removed app access). Same for Facebook, if you're using Server Side authentication. But Facebook handle this situation slightly better, it redirects back if everything is ok. And do it very fast, so at most case users aren't noticing such redirects.
So, it cannot be fixed on plugin side.
keibro
commented
11 years ago Once the authentication token is stored - I think it should be possible to verify the authentication token held by calling Verify Credentials.
If this verification fails, the old stored auth token can be discarded, and the authentication process must be completed again. If verification succeeds, the user appears to remain within the application.
Similarly, the Twitter4J library exposes the verifyCredentials():
http://twitter4j.org/javadoc/twitter4j/api/UsersResources.html#verifyCredentials()
method for this purpose.
(Thanks for the quick response - btw!)
splix
commented
11 years ago yes, we can verify credentials, but at this case user should be already authenticated. Or how we get his credentials? if it's just anonymous http request.
keibro
commented
11 years ago Would it be possible to store a cookie with reference to the user (and the Twitter token)?
Upon attempting to login, if the cookie exists, the verifyCredentials method is called - all going well, the user is logged into the application as the user associated with that token.
This would probably mean that the site is run under HTTPS to secure the cookie.
splix
commented
11 years ago Probably you have to use RememberMe filter for such stuff. Don't think that it's task for Twitter Authentication plugin
keibro
commented
11 years ago Good suggestion - I will look further into hooking into the RememberMe filter.
Many thanks for your feedback.
Upon pressing the 'Connect with Twitter' link, the Twitter authentication page is displayed each time - even if the application has already been authorised to use my Twitter account.
The same behaviour is displayed in the example project (grails-twitter-authentication-example).
The grails-spring-security-facebook plugin appears to work differently in that once the application has been authorised, the user is not directed to the Facebook authorisation page, but directly to the application.
As with the Facebook plugin, it would be preferable for the login process to verify the authentication token 'silently' and direct the user to the application once the token has been authenticated.