CODEWITHSUNDEEP
phptwittertwitter-oauth
Dan
Dan

Reputation: 12096

Twitter abraham twitteroauth constantly asking for permission

I'm using the abraham / twitteroauth to allow users to login through via their Twitter accounts. At the moment I can create the link, have them go to the link, authorize permission for the app to use their details, return to the site and save their user_id and access tokens as expected.

This is fine and works well, however when a user then logs out (clears sessions, cookies, etc) and then clicks the "sign in with Twitter" button, it then asks them for their permission again even though the app is already registered in their apps and has that permission. Should it not just sign them in again?

Login link generation using Code Igniter so ignore syntax

$connection = new TwitterOAuth(TWITTER_CONSUMER_KEY, TWITTER_CONSUMER_SECRET);

$request_token = $connection->oauth('oauth/request_token', array('oauth_callback' => RETURN_WEBSITE_URL));

$twitterOauth = array(
    "oauth_token" => $request_token['oauth_token'],
    "oauth_token_secret" => $request_token['oauth_token_secret'],
);

$this->session->set_userdata($twitterOauth);
$this->twitterLoginUrl = $connection->url('oauth/authorize', array('oauth_token' => $request_token['oauth_token']));

Return function

$request_token = [];
$request_token['oauth_token'] = $this->session->userdata('oauth_token');;
$request_token['oauth_token_secret'] = $this->session->userdata('oauth_token_secret');;

if (isset($_REQUEST['oauth_token']) && $request_token['oauth_token'] !== $_REQUEST['oauth_token']) {
    die("This isn't right.");
}

$connection = new TwitterOAuth(TWITTER_CONSUMER_KEY, TWITTER_CONSUMER_SECRET, $request_token['oauth_token'], $request_token['oauth_token_secret']);
$access_token = $connection->oauth("oauth/access_token", array("oauth_verifier" => $_REQUEST['oauth_verifier']));

What am I doing incorrectly?

Upvotes: 1

Views: 560

Answers (1)

abraham
abraham

Reputation: 47833

Twitter API supports two sign in flows. 3-legged authorization and Sign in with Twitter. The main difference between them is Sign in with Twitter will automatically redirect back to the application if the user has previously authorized the application.

The technical difference is that 3-legged uses GET oauth/authorize while Sign in with Twitter uses GET oauth/authenticate.

Your code implements GET oauth/authorize so yes it is expected that the users have to authorize every time. If you do not want returning users to authorize you have to switch to GET oauth/authenticate.

Upvotes: 10

Related Questions