Email is not requested when x_auth_access_type parameter added

oauth
email

#1

When I authenticate any user, normally I can get email of the user.

However, if I add x_auth_access_type paramater while receiving requestToken to change the permission level, email is not received.

It does not even ask permission to receive email from the user. Normally x_auth_access_type should not be preventing email permission.

How can I receive user’s email while using x_auth_access_type parameter type?

I’m using Node.js


#2

Interesting - this could be an edge case that wasn’t considered when the email grant was built… I’m not sure.

Can you walk me through your setup? I assume the following:

  1. Configured an app with, say, R+W access and permission to request email address, via apps.twitter.com
  2. Use the token “as normal”, then call verify_account with the email address parameter, and things work as expected.
    however…
  3. Override the access level to R, the user is not asked for permission to have the email address shared in the OAuth flow, and your app cannot retrieve it either.

Is that a valid description and understanding?


#3

Thank you for your reply.
Yes, your description is correct.
Actually, at first I configured my app with RO access and permission to request email address. I didn’t add x_auth_access_type parameter and things worked well. Then I overrided access level with W and it is not asked the email permission and I couldn’t get it.

While trying to find what did I do wrong, I also tested case exactly as you said. I mean I changed app permission to RW access and I overrided with R. Result is same.

I guess when authentication service sees the x_auth_access_type parameter in request, it completely overrides the app settings and acting according to value of parameter. This completely overriding also includes the email permission sadly. It shouldn’t override the email permission or it should give me an option to indicate I also want email permission while I’m using x_auth_access_type parameter. For example, field would be set to multiple values such as x_auth_access_type :[“write”, “email”] or would be set to comma seperated string such as x_auth_access_type : “write,email” so it would also give email permission to me.

Can you confirm is this the case, or help me to find out what I’m thinking and doing wrong?
Thank you very much.


#4

Unfortunately the initial x_auth_access_type setting was created at a point long before the email permission was added, and has only ever allowed one or other of the read or write values to be specified. I think what you’re seeing here is that using that parameter does perform an absolute override on what you have configured on the app settings. I’ll note this as something we should improve in the future, but at the moment I can’t say when or if we’re likely to change that behaviour.