Confusing and incorrect authentication/authorization logic


#1

If I have “Read, Write and Access direct messages” and ‘Allow this application to be used to Sign in with Twitter’ enabled and I direct a new user to /authenticate then it will not grant my application direct message access. Is this expected? It doesn’t make much sense to me because the user is still presented a screen that shows which permissions they are authorizing the application.

Incorrect:
If I have ‘Read, Write and Access direct messages’ and ‘Allow this application to be used to Sign in with Twitter’ enabled and I redirect the user to the /authenticate url, the screen will say that the application will not have access to direct messages. However if the user has previously authorized direct messages for that application, the token Twitter returns after authentication does have direct message permissions (I am seeing ‘x-access-level: read-write-directmessages’ in the header).