Twitter Authorization/Authentication in Servicestack asking to Authorize every time

When using GoogleOpenIdOAuthProvider, the authorization/authentication flow for Google is to authorize the first time, but each time thereafter it just authenticates. For instance:

  1. Website app goes to /auth/googleopenid 2) Google prompts to authorise the app against the account, click Accept 3) Sent back to app

If you logout and then go back to step (1), step (2) is skipped, as you would expect.

With TwitterAuthProvider, step (2) - having to click the “Authorize app” button - happens every time. This makes logging in as twitter less convenient.

Is there a way to configure Twitter in Servicestack to work this way, or is it just a bug?

No the Twitter OAuth behavior isn’t configurable but once the user authenticates the first time it will setup an Authenticated UserSession where they wouldn’t have to re-authenticate again until their UserSession expires which can be customized by changing SessionFeature.DefaultSessionExpiry.

Demis, thank you for responding back. Not sure if I explained the scenario correctly. It seems that the issue is not with session expiry but how Twitter authentication is handled in ServiceStack.

Scenario A: I try to login to my web application using FB credentials for the first time; I get prompted with the FB authorization window, to which I say yes and then I am taken back to the application. I then logout of the application and re-login - FB authorization window does NOT popup and I am taken to the application directly.

Scenario B: I try to login to my web application using Twitter credentials for the first time; I get prompted with the Twitter authorization window, to which I say yes and then I am taken back to the application. I then logout of the application and re-login - Twitter authorization window popups up EVERY TIME and I have to authorize it every time before I am taken to the application.

You can reproduce the behavior using the sample app: https://httpbenchmarks.servicestack.net/

Reading through the Twitter API documentation, it seems that we should be calling the oauth/authenticate instead of oauth/authorize. I feel that I may be missing something in my code or may be a bug in ServiceStack?

From Twitter Website:
https://dev.twitter.com/oauth/reference/get/oauth/authenticate
This method differs from GET oauth / authorize in that if the user has already granted the application permission, the redirect will occur without the user having to re-approve the application.

You can change the Authorize URL to use by specifying it in your Web.config:

<add key="oauth.twitter.AuthorizeUrl" value="https://api.twitter.com/oauth/authenticate" />

Or in code when you register TwitterAuthProvider, e.g:

new TwitterAuthProvider(appSettings) { 
    AuthorizeUrl = "https://api.twitter.com/oauth/authenticate" 
}

But I’ve just tested this and all it does is add an extra hop redirecting to /oauth/authorize, e.g:

That’s weird about the additional hop, but surprisingly it fixed the issue. Very odd!!

Since it helps and doesn’t break existing functionality I’ve decided to use the alternative /oauth/authenticate endpoint by default from this commit.

So you wont need to override the AuthorizeUrl in the next v4.0.56 release.

1 Like