50°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Dropping Twitter Support on IndieAuth.com

    May 27, 2018

    I've made the difficult decision to drop support for Twitter authentication on IndieAuth.com. Some time last week, Twitter rolled out a change to the website which broke how IndieAuth.com verifies that a website and Twitter account belong to the same person.

    Since I am already in the process of replacing IndieAuth.com with two new websites (lots of discussion on the wiki), it is not worth the effort to do what it would take to fix this for IndieAuth.com.

    What Changed on Twitter.com

    In order to verify that you are the person behind the URL you initially type in, IndieAuth.com checks your website to find a link to a Twitter profile, then checks that Twitter profile to see if it links back to your website. If there is a match, then you'll see the green button for Twitter on IndieAuth.com.

    Twitter rolled out a change that prevents normal HTTP requests from returning actual HTML on Twitter profiles. I'm assuming this is part of their effort to fight bots, but it's unfortunate this use case got caught up in that mess. If you visit your Twitter profile in a browser and click "view source", you'll see something like this now.

    This is a delightful bit of HTML that sets a cookie via Javascript and then reloads the page. Presumably this happens so quickly that normally you won't notice it.

    Fetching a profile URL with curl now returns an empty HTTP body.

    Even if I go through the hoops to make IndieAuth.com set cookies and refresh the page, there's no guarantee that they won't just change this again next week. I don't like playing these games, so instead I am just shutting off Twitter support in IndieAuth.com.

    Replacing IndieAuth.com

    The new version that you'll eventually use to sign in to the IndieWeb wiki is called IndieLogin.com. It is currently in beta, and is not available to other developers, but you can try signing in to the test page there right now. This new version gets around this Twitter problem by not even attempting to fetch Twitter profile pages in the first place.

    The new login flow works like this:

    • You enter your website on IndieLogin.com
    • IndieLogin.com finds your Twitter profile by checking all rel=me links for one matching twitter.com
    • IndieLogin.com shows you a button to authenticate with Twitter immediately (rather than first checking that your Twitter profile links back)
    • After you authenticate on Twitter and are redirected back to IndieLogin.com, it fetches your Twitter profile from the Twitter API
    • If your Twitter profile as reported by the API includes the initial website you started with, then you're authenticated

    This avoids the problem because IndieLogin.com never tries to fetch your Twitter profile HTML. Instead, it uses the API directly. This does mean that you can get into a situation where IndieLogin.com may prompt you with a Twitter button that can fail (if you are logged in to a different Twitter account than the one your website links to). However, it also speeds up the initial login prompt since it doesn't have to go check Twitter before showing you the login button first.

    Hopefully I'll be able to launch IndieLogin.com soon so that the lack of Twitter support on IndieAuth.com isn't too annoying. In the mean time, you can authenticate via GitHub or email on IndieAuth.com.

    Portland, Oregon • 80°F
    #indieauth #indielogin #twitter
    Sun, May 27, 2018 5:01pm -07:00
    2 likes 3 replies 3 mentions
    • Tom
    • Kevin Marks known.kevinmarks.com/profile/kevinmarks
      The workaround that unmung.com has used is that if instead of loading twitter.com/aaronpk you load twitter.com/intent/user?screen_name=aaronpk you get an mf1 h-card, proper rel=me and other xfn eg http://pin13.net/mf2/?url=https%3A%2F%2Ftwitter.com%2Fintent%2Fuser%3Fscreen_name%3Daaronpk #indieweb
      Wed, May 30, 2018 10:52am +00:00
    • Sebastiaan Andeweg seblog.nl
      😢
      Mon, May 28, 2018 5:51pm +00:00
    • eridius micro.blog/eridius

      @aaronpk Ugh, lately trying to visit twitter.com in Safari simply fails to load and I have to refresh to see the site. It looks like this is why (I guess their redirect isn’t working for some reason). Hard to believe they’d roll out something so hostile to people actually trying to visit twitter.com in a browser.

      Mon, May 28, 2018 2:33am +00:00

    Other Mentions

    • Aria Reads A Lot twitter.com/aredridelreads
      ✌ @Reading "aaronparecki.com/2018/05/27/10/…" ing.am/p/591j
      Thu, Feb 21, 2019 5:24am +00:00 (via brid-gy.appspot.com)
    • litherland reads twitter.com/carenisreading
      ✌ @Reading "aaronparecki.com/2018/05/27/10/…" ing.am/p/58XA
      Tue, Feb 19, 2019 7:16pm +00:00 (via brid-gy.appspot.com)
    • @baldur@toot.cafe www.baldurbjarnason.com
      “Dropping Twitter Support on IndieAuth.com”
      aaronparecki.com/2018/05/27/10/…
      Mon, May 28, 2018 2:45pm +00:00 (via brid-gy.appspot.com)
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Senior Security Architect at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming and dabble in product design.

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Security Architect at Okta
  • IndieWebCamp Founder
  • OAuth WG Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2023 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv