Integration of ASP.NET Forms Authentication with Twitter OAuth

Posted by Ahmad Barirani in Web Development      2 comments

Sep
25

In a previous article, I proposed a custom Forms Authentication for Facebook connect. The need for such a measure come from the fact that both Forms Authentication and Facebook Connect use cookies as means of authenticating users. Things are quite different on Twitter OAuth because it does not send any cookie to the browser: everything happens with HTTP requests. As a result, a Twitter Application developed in ASP.NET can use Forms Authentication without being in conflict with Twitter OAuth’s own cookie system.

There is something else to consider in Twitter OAuth, and that is the secret key that is associated with a Twitter account’s lifetime. Actually, the secret key never expires, which means that the Twitter App could keep a user connect as long as needed.

So the trick is that once the user has authorized your application to perform status update, you make a call to ‘http://twitter.com/account/verify_credentials.xml‘ to retrieve the users screen name. All you have to do, is call

1

FormsAuthentication.SetAuthCookie("<em>Screen_Name</em>", true);

to set the cookie on the users browser. If you want the user to be logged on for eternity (well you can’t have a user connect for more that a year), set the timeout value to whatever you feel right in the web.config file as follow:

<authentication mode="Forms">
    <forms loginUrl="YOUR_LOGIN_PAGE" timeout="2880"/>
</authentication>

The secret key will have to be saved somewhere (like a DB) do that is can be used when the user comes back to your website. Of course, there should be a Logout button somewhere on your website. When user asks to log out, simply call

1

FormsAuthentication.SignOut()

to have the cookie removed. Note: next time the user will want to come back, he will have to go through the Twitter OAuth authorization process again, since that’s the only way your app will be able to authenticate the user.