Ok here is my question.
I understand the process of the OAuth protocol, however I have some confusion around it.
I’m trying to take advantage of DotNetOpenAuth.Here is where I don’t get things.
Suppose a user (a new user), attempts to login to my website using Twitter.
The process goes like this (feel free to correct me if I’m wrong):
- A request token is issued (if my ConsumerKey and ConsumerSecret are ok).
- Then an authorization token is issued and the user is redirected to Twitter.
- The user authorizes my application. And an access token is issued.
- I get the current user’s details and store them in the database (along with the access token).
So far, so good.
Now here is the confusing part. The user logs out. Then comes back and tries to authenticate with Twitter again. How do I determine his access token, If I can’t get his identity before I have the access token ? I have him in the database, however I can’t determine who he is, before he goes through the same steps all over again. I’m sure I’m missing something, and I’ll appreciate it if you point it out. I’m aware of the IConsumerTokenManager, I tried reverse engineering the InMemoryTokenManager and see how it works, but it’s still not clear.
Ah, the joys (ahem, lack thereof) of using an authorization protocol for authentication. I dislike OAuth for logging in. Grrr…
With that out of the way, let me clarify the flow a bit:
When later, an anonymous user visits your site and wants to log in, you start the flow all over. Only this time, since Twitter recognizes the user (after they log in if need be) Twitter will likely immediately redirect the user back to your application rather than ask the user to confirm the login. The request token will be authorized, you’ll exchange it for an access token, and you’ll use that to get the user’s data. Oh! Now you see that the data matches an entry already in your database, and you welcome your visitor back.