Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Cross-domain OAUTH1 issue getting access tokens for Twitter API

Options
  • 11-12-2015 2:25pm
    #1
    ikoonman
    Registered Users Posts: 250 ✭✭


    Hi

    I am working on a project where I need to authenticate a user's Twitter account and request access tokens for future use. The framework I am looking at is Satellizer and it does what is says on the tin.

    The complication is that I have an SPA (AngularJS) app that talks to a back-end REST API (CORS enabled, C#) - each living on separate domains (app.acme.com and api.acme.com) and I use JWT for authentication.

    For my particular setup OAUTH doesn't work, because the popup Twitter authentication window and subsequent redirect back to my web app from the REST API violates cross-domain requests from Twitter's end.

    I think because my web app initiates the authorisation flow with Twitter, but the callback URL points (as defined in Twitter's APP settings) to the REST API to process responses. Once the process is done, the pop-up window (which Satellizer handles, and should close automatically) doesn't do this because the callback domain (for API) is different from the app domain (WWW).

    One solution I attempted was to set the callback URL to post the Twitter responses back to the WWW instead of the API (which would maintain same-site integrity), and then do a redirect (using jQuery) and forward the tokens on to the API via a REST call for database capture, but this is not working.

    So I am not sure how to progress from here. The issue essentially appears to be cross-domain request violations.

    I suppose I have 2 options:
    • create a single domain app that users use to do Twitter authentication (WWW and API lives on same domain, but separate applications), which is not ideal because I don't want them to have to log out/in to 2 apps.
    • The 2nd option is to merge the REST API and WWW back into a single app, but because of the size of the project and the architecture, this is really not a route I want to take.

    I am wondering if it is somehow possible to create a standalone OAUTH server - but not sure how it would work for opening up new windows and doing cross-domain requests.

    Any help/advice would be appreciated.


Comments

  • Options
    #2
    awec
    Administrators Posts: 53,443 Admin ✭✭✭✭✭awec


    I think the callback should be handled by your WWW, possibly all on the server side (might be simpler). Is there a requirement that it has to be a real SPA? I've seen plenty of SPAs have login / logout handled by seperate pages with full post backs.

    OAuth can be a real pain because it's a nuisance to test. And when things go wrong it may not be obvious why.


Advertisement