Twitter API OAuth 2.0 - CORS / Postmessage

Hey guys,

We are currently working on implementing the Twitter API v2 and would like to authorize via the new OAuth 2.0 Authorization Flow.

Pretty much all OAuth Flows of other sites allow an in-browser callback, either by passing redirectUri="postmessage" in case of the Google Login, or by tracking the OAuth window via window.open and then checking if the URI has changed to grab the auth code from the params. This is import to give the user immediate feedback if the authorization was successful or not.

Unfortunately it looks like Twitter doesn’t allow either of these methods, and blocks any tracking of the opened authorization window via its CORS policy. While I completely agree that the CORS policy should be in place for any other API call (in order to prevent clients from calling the API directly within the browser), I definitely think that it should be loosened for the authorization endpoint (https://twitter.com/i/oauth2/authorize).

It’s taken Twitter quite a while to step away from the outdated 3-legged auth flow, so it’s pretty important to the get the OAuth 2.0 flow implemented properly so that developers can access it easily. So far there is no single gem out there that helps to implement the OAuth 2.0 flow for Twitter, simply because there is no good option to have a direct callback. Please consider allowing this to work the same like all other services.