On Tue, Dec 27, 2022 at 11:57 AM Stephen J. Turnbull < stephenjturnbull@gmail.com> wrote:
Mark Sapiro writes:
The last I looked into using Twitter as an OAuth2 provider, which was some time ago, it would not work because Twitter would not provide the user's email address via OAuth2. Possibly this could work if the user's name was her Twitter handle.
Yeah, but then I (@yasegumi@twitter) could log in as yasegumi@example.com and every other yasegumi in the world. There probably aren't any of those that aren't me, but of the 30 kids in my 6th grade class 5 were named something with the diminuative "Steve", and we also had one Stephanie. So I could log in as steve@turnbull.sk.tsukuba.ac.jp (that's me) or steve@xemacs.org (that's not me, I'm stephen@xemacs.org), or steve@any.old.com. Not good.
Also, I wouldn't trust Musk's Twitter with no security staff left to give out only confirmed email addresses. If they give out any address you gave them, then anybody can spoof anybody. So I would advise not using Twitter as an idP under any conditions, unless it's to prove you own a Twitter handle.
Okay. Now I really don't want to add Twitter to my Social Account logins :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)