Is 3-legged Twitter Oauth supported?

[deadcoder0904]

I was just checking if I should use next-auth for 3-legged oauth using Twitter to reduce the amount of code I've written for oauth → https://github.com/deadcoder0904/twitter-api-v2-3-legged-login-using-next-connect

I am using a library called https://github.com/PLhery/node-twitter-api-v2

I was wondering if it is supported & what are the benefits of using this one over that one? I think that one gives more control & this one is more easier but would love to hear what you think?

[balazsorban44]

I think this is what we are already doing with https://next-auth.js.org/providers/twitter

[deadcoder0904]

@balazsorban44 i'll have to try it to see if they do the same thing. can you mention some benefits of this library over twitter-api-v2?

[balazsorban44]

no. I haven't used the other library, and generally have little experience with Twitter login, as I don't use it myself.

[deadcoder0904]

I just tried doing it but I think it's really different. next-auth only does provide simple social login but 3-legged oauth is completely different.

Would love to be wrong so lmk if it's possible (or maybe we can expect it as a feature in a future release 😉)

[balazsorban44]

I mean this is exactly what we are doing internally

https://developer.twitter.com/en/docs/authentication/oauth-1-0a/obtaining-user-access-tokens

you get the Twitter userinfo, as well as a oauth token.

I won't say I'm strong on the implementation details, but have you seen the jwt callback to see what do we return from the provider?

https://next-auth.js.org/configuration/callbacks#jwt-callback

I might be still wrong here, Twitter is the only provider that does not use OAuth 2 or OIDC, and at some point I hope they do, as we would like to get rid of the underlying library that weighs us down just for Twitter to work.

[deadcoder0904]

Oh, I guess, then you are right I suppose. Will try to make it work following https://spacejelly.dev/posts/how-to-authenticate-next-js-apps-with-twitter-nextauth-js/ & update the answer once I make it work :)

[balazsorban44]

here is a working example https://next-auth-example.vercel.app/

[SlinkyPotato]

Hi @balazsorban44

Where is the Access Token Secret stored in next auth?

Twitter allows you to obtain user access tokens through the 3-legged OAuth flow, which allows your application to obtain an access token and access token secret by redirecting a user to Twitter and having them authorize your application. This flow is almost identical to the flow described in implementing Log in with Twitter, with two exceptions:
1. The GET oauth/authorize endpoint is used instead of GET oauth/authenticate.
2. The user will always be prompted to authorize access to your application, even if access was previously granted.

In twitter's 3leg auth approach, there is an additional access token secret that is generated. I don't think twitter is going to deprecate their v1 endpoints any time soon.. so how can we make use of this value?

[balazsorban44]

it's part of account but depends on the context where you want to use it.

https://next-auth.js.org/configuration/callbacks#jwt-callback

https://next-auth.js.org/adapters/models#account

https://next-auth.js.org/providers/twitter

[deadcoder0904]

It works pretty well. Had a minor glitch figuring out custom signin pages as I thought of using Link with custom href or button with custom fetch but it turns out using getProviders in getServerSideProps was the way.

I did manage to make my code extremely small by offloading auth to next-auth. ~800 LOCs replaced with ~100 LOCs. See this commit.

This is the complete code on next-auth branch → https://github.com/deadcoder0904/twitter-api-v2-3-legged-login-using-next-connect/tree/next-auth

If you are logged in, it'll show the app in the root route /. If you are logged out, it will show login button on the same root route /.