Using an AccessToken that is already in use by another user? #21

aac opened this Issue Jul 9, 2010 · 5 comments


None yet
3 participants

aac commented Jul 9, 2010

Is there a way to access the AccessToken returned from the OAuth provider before/after a save/update_attributes fails due to the AccessToken already belonging to a different user?

I'd really like to be able to query the API using the new AccessToken so that I can, e.g., pull the user name of the AccessToken to present in the error message, so that instead of saying:
"Sorry, that Twitter account is already linked", I could say "Sorry, the Twitter account [username] is already linked."


lancejpollard commented Jul 9, 2010

Good Question. I've been thinking about ways to do this, nothing in stone yet.

One thing, the AccessToken shouldn't ever belong to a different user, that would be a bug. Do you mean "the user already has logged in with that service" instead?

Could you describe the exact flow of events you have in mind so I can better figure something out?



aac commented Jul 9, 2010

Do you mean "the user already has logged in with that service" instead?

Yes. The token doesn't ever seem to get created. But, in theory, we've got the credentials at this point, right? That's how we know the user is already connected? So we could make, say, a mock-token to make API calls with, without actually saving the token to the DB?

Flow of events:
User A is connected to Network X.
User B is connected to Network Y.

User B tries to edit his account, to add credentials for Network X,
using the same authentication as User A, so User B POSTS to user#update,
which redirects to the Network X's OAuth process, which eventually leads back
to user#update.

User#update's user.update_attributes call will set result as false, and the record
will not be updated, because the authentication for Network X is already in use (by User A).

At this point, I want to update the flash with [username for the authentication with Network X],
in other words, with data from the authorization that I have been given, but which has not been
saved because it conflicts with an existing User.

Did that make any sense?


lancejpollard commented Jul 9, 2010

Hey! Nice examples, makes things clear.

Flow of events:

  • User A is connected to Network X.
  • User B is connected to Network Y.
  • User B tries to add credentials for Network X, using the same authentication as User A.

I was thinking that's what you meant. How is that possible? It doesn't seem like that should even be possible. For example, take Twitter...

  • User A is connected to Twitter
  • User B is connected to Facebook
  • User B tries to add credentials for Twitter, using the same Twitter username as User A.

I don't think you can even do that with OAuth, as that would mean you're allowing them to pass in their user name to twitter and go through oauth... Am I missing something?

I can see this working if you are trying to do the following. User A is trying to dupe the system and create User B (so, say, I can have two user accounts so I can get 10GB of email vs. 5GM :p), so User B tries to associate his Twitter account to User B but they've already added it to User A. Is that what you're describing?

If you are describing this create-multiple-accounts situation, I haven't thought about that, we'd have to sit down and work something out.

What are your thoughts?

avioing commented Aug 2, 2010

i had a brief discussion with andrew about a related issue, and i believe this is indeed about this "create-multiple-accounts" situations - at least, it is for me :).

let's say, the following is true:

  • Bob logs in via Twitter, an account is auto created mapped to his Twitter id / screen name
  • Some time later, Bob logs in via Facebook, and a new account is auto created. unfortunately, since we can't pull user email from Twitter, there is no way to auto map the two (unless we explicitly require the user to provide another piece of identifiable information in both cases). so, we effectively end up with two accounts
  • now Bob is in his Facebook-linked account, attempts to also connect it to Twitter. here is where according to the default behavior, the add action will fail because the Twitter id and/or token are already in use (mapped to an account)
  • one way to manage this is to use a highly manual, user driven, account merge process. which is ok, and it's pretty clean and simple

another is to attempt doing something automagically, like merging the two accounts - which has the potential to be ugly, but might work for most cases - and would provide a pretty seamless experience for most users



aac commented Aug 22, 2010

Did behavior for this change recently? Today's the first time I've poked around with it in a while; now, if I authorize an already-authorized account, it gets linked to the current user, and the other user loses its access token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment