Authenticate -> Authorize -> Authenticate loses DM access

justunfollow · 2011-10-30T22:53:26.000Z

We use twitter login as well as allow users to manage their accounts from within our application. Now we have the following scenario in one of our apps :

User logs in using twitter (we use /authenticate)
User add a twitter account (we use /authorize since we need dm access)
User can login any time to the application again ( /authenticate)

After this if the user logs in to our application again using the same account, we lose access to the direct message. The solution is to only use /authorize but then it displays the twitter screen every time a user tries to login to our application.

Is this the expected flow? I understand if the flow was /authorize -> /authenticate then the DM access stays. But what if the flow is /authenticate -> /authorize -> /authenticate ?

justunfollow · 2011-11-01T12:14:00.000Z

Anything on this? I have to use /authorize for signin request and it’s a big pain since the authorize window is displayed each time a user logs in.

episod · 2011-11-01T13:57:07.000Z

I’ll look into this a bit for you – a few questions:

Can you share any additional parameters you might pass to the oauth/request_token step or oauth/authorize or oauth/authenticate steps? If you could just list all the parameters you send, it’ll be helpful.
What’s the default authorization level set on your application record at this time?
Are you sure the users who are being shown the authorization screen on /oauth/authenticate have an existing access token at read-write and direct message level permissions (and not just read-write permissions) – have you done a accounts/verify_credentials request on their behalf and examined the HTTP headers indicating the access level granted?

Thanks

justunfollow · 2011-11-01T15:02:00.000Z

I was trying to find the exact scenario. Seems like very simple to replicate:

/authorize
Log out of twitter
/authenticate (now what happens is twitter displays signin screen with changed permissions)
When user signs in to twitter, the access level goes back to RW

This happens only if the user trying to sign in is logged out of twitter and is presented with the signin screen on /authenticate . If the user is already logged in to twitter then this does not happen.

The default authorization of our app is RWD , and it works well, we’re able to retrieve DMs. Only when the above scenario occurs does the DM access disappear for a users token.

We do not send any extra params to oauth/request_token apart from our callback URL.

episod · 2011-11-01T17:55:07.000Z

What’s “log out of Twitter” in this scenario? Do you completely sign out of Twitter? Does /authenticate not simply re-direct if you don’t log out first? (Trying to narrow the problem area down to whether this only happens when the login sequence is additionally invoked within the OAuth sequence)

justunfollow · 2011-11-01T19:06:00.000Z

“Logout of twitter” - Yeah, completely sign out of twitter. If you do not logout /authenticate simply redirects and everything works fine.

The scenario to be clearer is:

App has RWD access
User is presently not logged in to either twitter.com or the third party app
When user click the ‘sign in with twitter’ button, the app would redirect them to /authenticate
Since user is not logged in to twitter, twitter displays a “Sign In” screen where it explicitly lists out the permissions needed (which in this case would be just RW)

Let me know if you need to know anything. Simply put, if there is any app out there that needs RWD and also offers ‘sign in with twitter’ then they will lose access to ‘D’ once the above scenario occurs.

justunfollow · 2011-11-01T19:06:00.000Z

“Trying to narrow the problem area down to whether this only happens when the login sequence is additionally invoked within the OAuth sequence”

Yes, that’s the exact case when this happens.

justunfollow · 2011-11-02T14:15:00.000Z

anything on this?

episod · 2011-11-02T18:13:36.000Z

Still investigating; a bug is filed with our team. It won’t be fixed in the extremely short-term.

Out of curiosity, for which product features does JustUnfollow utilize DM permissions?

justunfollow · 2011-11-02T19:59:00.000Z

it’s not for justunfollow… it’s for our new app http://www.buffr.com

justunfollow · 2011-11-02T20:10:00.000Z

I presume this bug would affect all apps that need RWD and provide ‘sign in with twitter’. Most wouldn’t realize the error, or probably end up prompting users for DM access every time this bug occurs

But I’m also interested in seeing how you guys end up fixing this bug. Since the current sign in window explicitly mentions that "Direct Message’ permission would not be granted, my suggestion would be to specify somewhere informing the user that this holds true only if DM access is not already granted.

justunfollow · 2011-11-09T13:59:00.000Z

Hi,

Sorry to be pestering you but any news if this would be fixed soon?

episod · 2011-11-14T14:50:05.000Z

There’s no news on with this will be fixed yet; it’s a filed bug awaiting prioritization. I will continue to look after it to see that it gets prioritized.

justunfollow · 2011-11-14T18:39:00.000Z

thank you so much

CodeInChaos · 2011-11-15T06:14:42.000Z

I’ve noticed this problem as well, following the same flow as @justunfollow …

CodeInChaos · 2011-11-15T06:23:39.000Z

also another by-product of this issue is that the /authenticate screen will now always prompt the user to sign in whether they’ve previously approved the application or not, which breaks the whole “login with twitter” experience …

kmore · 2011-11-26T21:26:00.000Z

Would really like this to get addressed. Any updates.?

A fix would very much help us out on a project we’re nearing the end of.

Thanks guys.

karimawad · 2011-11-27T16:35:01.000Z

I’d also like to find a resolution for this. Excited to get the login flow worked out for our apps as well.

Thanks for looking into this!

GrabInbox · 2011-11-28T19:28:18.000Z

The worst thing about this bug is that not many notice it. And unless your users are really enthusiastic about giving feedback, you as the app developer would have a hard time realizing that your application is facing this problem.

IMO, this should be fixed on priority.

justunfollow · 2011-12-07T04:12:07.000Z

@episod anything on this? This is such an important thing as it breaks the oAuth flow. Users are displayed the sign in screen on every login and it’s annoying them