Upgrade Twitter OAuth to Oauth 2

[danReynolds]

The Twitter firebase_auth integration currently uses the OAuth 1 flow where an application secret key must be provided in the social credential: https://github.com/firebase/flutterfire/blob/982bdfb5fbfae4a68e1af6ab62a9bd762891b217/packages/firebase_auth/firebase_auth_platform_interface/lib/src/providers/twitter_auth.dart.

Other Firebase social auth integrations like Facebook and GitHub are already on the OAuth 2 flow and don't require passing a secret key. The docs recommend using the Twitter Login package which currently requires passing in a secret key, but this is a security issue since the secret key is accessible from insecure clients like Flutter apps as described here: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps.

The solution would seem to be to migrate the firebase_auth Twitter integration to use OAuth 2 since this is provided by the Twitter API: https://developer.twitter.com/en/docs/authentication/oauth-2-0/authorization-code.

I've been able to successfully sign in to Twitter using OAuth 2 on Flutter apps by just calling the APIs directly, but then there is no way to link the account to the Firebase user since the signInWithCredential API requires a Twitter credential with a secret key.

Let me know if that makes sense and how we could go about adding support for this. Thanks!

[KiranMo27]

Any updates on this ?

[Skyost]

There's still a problem with this, but I think the FlutterFire cannot do anything. It's a problem related to https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp.