Twitter api authorization of my application

Question

I am using this twitter api library and so far everything is great. My problem (well not really a problem more a user experience) is that every time you want to sign in with twitter you need to open a popup.

Right now the flow is this:

• User clicks on the sign in with twitter logo on my page.
• Javascript induced popup comes up with the the twitter Oauth stuff on it. If you are logged in all it says is login and cancel. If you are not it has login fields.
• If everything is good it goes to a callback url that I supply. does a bunch of stuff and then..
• I call window.opener and pass the authenticated info and from there I close the window.

This was surprisingly easy to implement and works great. I'm wondering if the twiiter login process can be a little more like the facebooks which would be this.

• User clicks on the sign in with twitter logo on my page.
• If the user is logged in and has autorized the app the popup window will popup go away instantly and chuck the user data back to my page.

I do realize that I am using a php library for twitter and the facebook flow is from the javascript side but I am wondering if I can detect, with php, if the user has already allowed the app and is signed in, for them bypass the extra signin/cancel click.

Answer 1

Try using the "Sign in with Twitter" flow. If the user is already authenticated, it's a one click operation. The linked doc above has a flowchart and description of the process, but I'll list the steps here (with emphasis added) as well, and link in the relevant API pages:

"Sign in with Twitter" is the pattern of authentication that allows users to connect their Twitter account with third-party services in as little as one click. It utilizes OAuth and although the flow is very similar, the authorization URL and workflow differs slightly as described below.

The normal flow dictates that applications send request tokens to oauth/authorize in Twitter's implementation of the OAuth Specification. To take advantage of "Sign in with Twitter", applications should send request tokens received in the oauth_token parameter to oauth/authenticate instead.

The oauth/authenticate method will act in different ways depending on the status of the user and their previous interaction with the calling application:

1. If the user is logged into twitter.com and has already approved the calling application, the user will be immediately authenticated and returned to the callback URL.

2. If the user is not logged into twitter.com and has already approved the calling application, the user will be prompted to login to twitter.com then will be immediately authenticated and returned to the callback URL.

3. If the user is logged into twitter.com and has not already approved the calling application, the OAuth authorization prompt will be presented. Authorizing users will then be redirected to the callback URL.

4. If the user is not logged into twitter.com and has not already approved the calling application, the user will be prompted to login to twitter.com then will be presented the authorization prompt before redirecting back to the callback URL.

Hopefully this fits the bill and will work for you.

Answer 2

I had the same problem with Facebook API once but got it working by checking the cookies generated by the API to see if there are entries there that might give a hint if a user is logged in. I'm not sure about Twitter but in the case of Facebook, the presence of the cookie alone means a user is already logged on the current application. Since they both use Auth they might use the same procedure. But of course I'm just guessing. Better take a look for yourself to confirm.

Great question, by the way. +1