"Cancel" button in oauth screen logs in the user on Twitter



My app is using https://api.twitter.com/oauth/authenticate to authenticate users.
I’ve noticed that if the user types their correct username and password in the oauth page, and then clicks “Cancel”, the page will say “You have not signed in to [appname]”, but the user is now logged in on Twitter.

Just to be clear, the user never clicks “Sign In”; in fact, the only button they click is “Cancel”.

Is this the expected behavior?



This is our current intended behavior. The act of clicking “cancel” and having provided their credentials is basically the same as revoking your application access. If an access token already existed between your app and the user, that access token would then be invalidated. Had the user already been logged in, the same would be true of the cancel button in that context.

They’re not signing in to your application, but they are signing in to Twitter.


Thanks for clarifying that.

Wouldn’t it be better if the button said “Revoke” rather than “Cancel”?

A user normally hits Cancel if they want to “stop and go back”, whereas your Cancel button actually completes the process.