Too much information sent on login

[andretietz]

Hey there,

atm I am building an android library which is supposed to decouple authentication from providers itself.

https://github.com/andretietz/auth

I wanted to create an parse auth client using my already implemented twitter credential provider, which provides me the token and the token secret.

You're sending this foreach login:

• consumerKey -> The AppId created on twitter
  • This could be fine, since the user could've created multiple apps in the parse (back4app) backend
• consumerSecret -> A secret no-one should see, except the backend itself and the client (to authenticate against twitter itself), but it should not be sent in any additional requests. I don't even see the need for this
• userId -> if it's an parse internal one, this could be ok, if not, it shouldn't be necessary
• screenName -> Shouldn't be necessary at all. what for is that used? if the user uses twitter as alternative login, the username should be set already (why sending it then) and if not it should take the username from twitter directly
• token/secret -> with this you can get the screen name an any other info you need from twitter on the backend side.

what for do you need:
consumerSecret?, userId? screenName?

[montymxb]

This section regarding the rest api in the docs may be of interest to you.