kratos
kratos copied to clipboard
ory
feat: Provider Twitter
Add twitter as an identity provider and required changes to accommodate it.
Related issue(s)
#2116
Checklist
- [x] I have read the contributing guidelines.
- [x] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security. vulnerability, I confirm that I got green light (please contact [email protected]) from the maintainers to push the changes.
- [ ] I have added tests that prove my fix is effective or that my feature works.
- [x] I have added or changed the documentation.
Further Comments
Hi @mfzl
I looked into this PR a bit and there are a lot of changes to the other providers with the implementation of OAuth1.0 flows. Why do we need to use OAuth1.0 here?
Can we not use Authorization Code Flow? https://developer.twitter.com/en/docs/authentication/oauth-2-0/user-access-token
Hey @Benehiko
Thank you for checking into this.
It's a bit confusing what you can do with Twitter OAuth 1.0a and OAuth 2.0. As of now there's no way to retrieve user profile information with email without falling back to OAuth 1.0a AFAIK. That's the main reason.
The closest endpoint we have is this https://developer.twitter.com/en/docs/twitter-api/users/lookup/api-reference/get-users-me#Optional
Here's the endpoint that allows retrieving user's email, which requires OAuth 1.0a
https://developer.twitter.com/en/docs/twitter-api/v1/accounts-and-users/manage-account-settings/api-reference/get-account-verify_credentials
And the changes are necessary to make the Provider interface generic as I've briefly highlighted in the linked issue.
Hi @mfzl
Maybe we should rather rely on the Twitter v2 endpoint which uses OAuth2.0 flows instead. This would then be a cleaner implementation. We can then request the user to add their email (if required by the Identity Schema) through the registration flow after they have logged in through twitter - but this is up to the person implementing Kratos.
https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-with-google-facebook-github--openid-connect--oauth-20-1
@aeneasr what do you think?
That would break user expectations given how Login with Twitter is implemented and used in the wild. Which as I understand (as limited as it may be) is a big deal when it comes to user experience.
It would also make it less useful to people migrating over to Kratos using Twitter authentication currently.
It's also one of the reasons why V2 is not being used a lot in the wild for authentication. They'll get there eventually (hopefully). From my readings though, they don't have any plans to deprecate the current API, meaning it's here to stay.
Some references:
https://github.com/supabase/gotrue/blob/6de5ec1e65f9a904207d4ae054db4d677da4158b/api/provider/twitter.go#L23
https://www.passportjs.org/concepts/authentication/twitter/
https://auth0.com/rules/get-twitter-email
Hey @mfzl
Thank you for explaining. I understand the reasoning and use case now. Maybe we can implement the v2 APIs for now in this PR which can be merged relatively quickly, since it will just reuse what the other OAuth2.0 providers use.
Then after that we can look into implementing v1 for email support. But for this we would need to look into using official libraries or come up with a list of alternatives.
@Benehiko how about we send a new PR for v2. You could close this one if you feel that's the best way forward.
@Benehiko how about we send a new PR for v2. You could close this one if you feel that's the best way forward.
Alright, let's do that then! :)
Unfortunately I don't think it's possible because of this issue https://github.com/golang/oauth2/issues/534
@arekkas coreos/go-oidc isn't this for OIDC providers. Twitter v2 is not an OIDC provider, just OAuth 2.
Hello guys! What's status of this PR, do you plan to fix the issues and merge it? Twitter is really missing, but as far as I know oauth1 is the only option for 3rd-parties, it provides OAuth2 only for Twitter clients.
Codecov Report
Merging #2117 (74a8a3c) into master (d9c8217) will decrease coverage by
0.62%. Report is 1043 commits behind head on master. The diff coverage is29.56%.
@@ Coverage Diff @@
## master #2117 +/- ##
==========================================
- Coverage 75.27% 74.65% -0.62%
==========================================
Files 294 297 +3
Lines 15629 15812 +183
==========================================
+ Hits 11764 11805 +41
- Misses 3033 3175 +142
Partials 832 832
| Files Changed | Coverage Δ | |
|---|---|---|
| selfservice/strategy/oidc/oauth1.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_apple.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_auth0.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_config.go | 35.55% <0.00%> (-1.66%) |
:arrow_down: |
| selfservice/strategy/oidc/provider_discord.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_facebook.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_github-app.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_github.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_gitlab.go | 0.00% <0.00%> (ø) |
|
| selfservice/strategy/oidc/provider_microsoft.go | 0.00% <0.00%> (ø) |
|
| ... and 11 more |
... and 1 file with indirect coverage changes
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}