SPA login via twitter, access twitter API

Let me preface this by saying I am a very new user of auth0, and likely have not not understood OAuth correctly.

I am trying to build a react SPA, which allows a user to log in via twitter, and then analyses the tweets from their timeline. I would like for this analysis to continue to happen in the background, while the user is not logged in.

I’m not sure what the correct way of structuring my API/auth is. I need to allow the SPA to authenticate on twitter, and access the backend. The backend then also needs to be able to retrieve that users’ twitter token, to access the twitter API.

  1. Can I allow the implicit grant flow of a SPA, and then somehow use the corresponding access token to retrieve the twitter token?
  2. Can I use the code grant on the backend, and somehow pass the appropriate token on to the SPA?
  3. Something else?

Are there any examples of code doing this?

Your SPA application will be able to authenticate users with Twitter, get an id token with the user information (no email in the case of Twitter as of now), and get an access token issued by Auth0 to access your backend API (see API authorization). This is so that you can make secure calls between the SPA and the backend.

For better security, the SPA should not try to get the Twitter access token directly in the browser, and instead talk to its backend API, and let the backend handle the communication with Twitter.

On the backend, you can access Auth0’s Management API to get the user’s Twitter access token (see Identity Provider Access Tokens). You will want to optimize this flow somehow with a cache to avoid having to look up the user’s Twitter access token on every request to your API though because if you do this you will most likely hit the Management API v2’s rate limits pretty quickly.

Because you can access the user’s Twitter access token directly from the backend you don’t need a separate authorization request to Auth0.

No examples of this particular use case, I’m afraid.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.