oauth 2.0 showing authorization page again

2
votes

I am new to oauth 2.0 and reading up on it. I tried using oauth 2.0 for my app with 37signals site and ran into a problem. Now sure if its as designed. Any here is what I see.

  1. User is already logged into 37signals site.
  2. My app starts the oauth flow by redirecting him to 37signals site
  3. An authorization page appears asking the user if he is okay with granting access to my app.
  4. User approves and is brought back to my app. (An access token is also available)
  5. Now, user logs out of 37signals site.
  6. User tries to use my app. My app starts the oauth flow by redirecting him to 37signals site.
  7. The user logs in using login screen.
  8. He is again shown the authorization page. Shouldn't this be skipped since the user approved it the first time? Or is this as designed?

Anyway, this does not seem very user friendly to me i.e showing the approval page every time after logout.

I noticed similar behavior with twitter as well. I initially posted a similar question while using a nodejs oauth library. Then I thought its a general oauth 2.0 question. everyauth always triggers authorization

1
oauthoauth-2.0twitter-oauthoauth-provider

1 Answers

0
votes

Upon initial authentication, the authentication provider, in this case 37Signals, will provide an authentication token. In company with your application key, you can use the users token to authenticate them subsequently, following the initial authentication. It's customary for OAuth providers to expire authentication tokens over time, in which case you would need to have your user re-authenticate.