Why passport-twitter requires session support

Related searches

I'm working on facebook, google, github, twitter authentication with passport. Authentication with facebook, google, github are executing how in tutorial was written. Only twitter back me message:

500 Internal Server Error: OAuth authentication requires session support. Did you forget to use express-session middleware?

Then I added express-session middleware (look below) and my problem has gone.

import * as expressSession from "express-session";

app.use(expressSession({
    secret: strategyOptions.session.secret,
    resave: false,
    saveUninitialized: true
}));

So I have 3 questions:

  1. Why twitter authentication requires session support ?
  2. I had guess only my backend and frontend know about session. How Twitter knows about my session?
  3. Why Google, Facebook, Github don't need session support ?

How to use passport-twitter without using session � Issue #96 , jaredhanson / passport-twitter � Sign up 500 Error: OAuthStrategy requires session support. Did you forget app.use(express.session())? #38. Error: OAuth authentication requires session support. Did you forget to use express-session middleware? Is there a way to fix without using session ????

1. Why twitter authentication requires session support ?

Authenticating with Twitter using OAuth 1.0a works like this:

(From https://medium.com/@robince885/how-to-do-twitter-authentication-with-react-and-restful-api-e525f30c62bb)

You'll notice there's a step where the server gets a request token from Twitter, and then sends the user to Twitter to authorize. When the user is redirected back to the site, the server will exchange the request token and a verification token for an access token. But the request token is not provided by Twitter when it redirects the user back to the site. So the server needs a way to save the request token when it first gets it, so that it can be retrieved when the user is redirected back. Sessions are used to save the request token.

2. I had guess only my backend and frontend know about session. How Twitter knows about my session?

You're right, Twitter doesn't know anything about your session. A session is basically an ID stored in a cookie in the user's browser and also a set of data associated with that ID on the server. So the user sends the sessions ID when she makes a request (cookies are sent with all requests), and the ID is used to look up the data on the server.

Building on the answer from (1), the session ID is used to retrieve the request token when the user is redirected back to the site from Twitter. Twitter doesn't know (or care) how that request token is stored. You could potentially store it another way and Twitter wouldn't know the difference.

3. Why Google, Facebook, Github don't need session support ?

Google, Facebook, and Github are likely using OAuth 2 instead of OAuth 1.0a. OAuth 2 doesn't work the same way, and so doesn't require a request token to be stored. Twitter actually supports OAuth 2. However, it's used for application-only authentication and not application-user authentication. So you could use OAuth 2 to authenticate your application, and use the API as your application. But you can't use OAuth 2 to query the API on behalf of users. In other words, Twitter doesn't allow you to use OAuth 2 to authenticate your application to be used on behalf of users.

500 Error: OAuthStrategy requires session support. Did you forget , In order to support login sessions, Passport will serialize and deserialize user instance to and from the session. /config/passport-setup.js. config/� It turned out that that similar code works with facebook because passport-facebook uses OAuth 2.0 and passport-twitter uses OAuth 1 which requires session. So the problem is that we are not using session in our APIs. skeeet commented on Jun 6, 2013 So how do you solved that finally?

@C0dekid. In my case it was:

export const strategyOptions = {
  ...,
  session: { secret: process.env.SESSION_SECRET || 'SESSION redux-serviceauth-example' },
...};

How to set up Twitter OAuth using Passport.js and ReactJS, The existing login session and req.user will be unaffected. described above is that it requires two instances of the same strategy and supporting routes. According to the Passport docs you should be able to disable sessions when authenticating like so: passport.authenticate('twitter', { callbackURL: '', session: false }); When I do so I still get the following error: Error: OAuthStrate

Documentation: Authorize, Support for Twitter is implemented by the passport-twitter module. var passport = require('passport') , TwitterStrategy = require('passport-twitter').Strategy� Yes, sessions are required for any OAuth 1.0 based provider, in order to store the temporary credential used to verify the transaction. jaredhanson closed this Feb 27, 2014 lucabelluccini commented Feb 27, 2014 Is it possible in any way to drop this requirement?

Documentation: Twitter, 5 Why passport-twitter requires session support May 19 '17. 5 Loop inside React JSX Feb 22 '18. 2 why material-ui does not works inside Router (from react-router

Dismiss Join GitHub today. GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.

Comments
  • 3) Google, FB, GH are different communities. They have other requirements regarding their API's.
  • @BogdanSurai I too got the same problem.Can you please tell what contains in strategyOptions.session.secret
  • @C0dekid I wrote a comment for you below.
  • is this still accurate? has twitter moved to oAuth 2.0 yet? its 2020