Digg.com style oauth
I've been trying to figure out exactly how digg.com and other similar sites deal with authentication via oauth. Creating an account via oauth is pretty straight forward, the user clicks the twitter/facebook connect button which then digg sends our a secret and if everything works, this secret is returned and gets stored as the access token.
However, how does authentication work this way? When I click on the login via twitter button for example, a random secret is being sent to twitter. Does twitter instead return the prior access token or does digg get the twitter user id for example, compare it to a stored value in the db and then uses the stored access token from there?
For example: 1. user clicks login via twitter. 2. a secret is sent, twitter does some processing and returns info such as username/id/etc... 3. based on one of these return values, the db is polled and the user rows are loaded, authentication succeeds.
Am I way off on this? Can someone please enlighten me?
The following is based on Workflow provided by hueniverse:
User clicks on login through Twitter.
Digg requests from Twitter a Request Token (not User-specific, can be used by Digg to gain User approval from User to access User's information).
Digg receives the Request Token and redirects User to the Twitter OAuth User Authorization URL with RequestToekn and asks Twitter to redirect User back once approval has been granted.
OAuth requires that Service Providers (Twitter) first authenticate the User, and then ask them to grant access to the Consumer (Digg).
User enters username and password (if User has not logged in).
Twitter informs User of who is requesting access (Digg) and the type of access being granted. (I am not familiar with Digg, so take Stack Exchange as another example, it only asks for access to username.)
User approves.
Twitter marks the Request Token as User-authorized. User's browser is redirected back to Digg.
Digg uses the authorized Request Token and exchanges it for an Access Token (used to access Protected Resources. In case of Stack Exchange, username, though it sounds a little bit weird).
Digg is logged in through Twitter.
Here is an unofficial picture by me:
Above is based on the the Official Guide to OAuth 1.0, but according to Introducing OAuth 2.0:
OAuth 2.0 is a completely new protocol and is not backwards compatible with previous versions. However, it retains the overall architecture and approach established by the previous versions, and the same introduction (from the Official Guide to OAuth 1.0) still very much applies.
- Facebook Real-time Updates: (#2200) callback verification failed, code 2200
- FB.ui app request goes to a 4oh4.php error page when user clicks accept, how to fix?
- How to get all people who liked Facebook post?
- Facebook and Crawl-delay in Robots.txt?
- Facebook Webhook test send not working?
- How does Facebook disable the browser's integrated Developer Tools?
- Facebook key hash does not match any stored key hashes
- SwiftUI Facebook login popup wont close?
- How to add facebook's new comment system to blogger?
- Facebook - Twitter authentication - information merge
- Facebook graph how to set parameters for picture?
- WhatsApp template name does not exist in the translation
- Facebook crawler is hitting my server hard and ignoring directives. Accessing same resources multiple times
- Extract Links from Facebook activity feed
- Facebook Request for App Review. How to enable "Submit for Review" button
- Facebook meta developer blocked ngrok? Error Message "URL Blocked"
- Graph API: get user who comment on page post
- Error while creating test user on Facebook "The ability to create test users is disabled temporarily"
- Facebook login not working :ERROR: Android
- Facebook PHP SDK couldn't logout
- How do I get a React Native TextInput to maintain focus after submit?
- Facebook Graph API: How to set up On Behalf Of relationship with a client business?
- Login to Facebook API with known username and password
- Can't get Advanced Access to public_profile on a disabled app?
- What's the shebang/hashbang (#!) in Facebook and new Twitter URLs for?
- Issue installing R facebook HTTP 400
- error OAuthException "message": "mailbox requires the read_mailbox extended permission."
- How do I get Facebook id
- Collect comments of Facebook pages and groups not owned without an app for data science project
- Facebook sharing with a twist