force_login on /oauth/authenticate not working?


#1

We’ve been using force_login as (documented on both GET oauth/authenticate and GET oauth/authorize) and it suddenly stopped working a couple of days ago. Now, force_login seems to be ignored and always uses the currently authenticated account.

Anybody aware of what is going on? Or maybe a suggestion as to what we might have done to trigger this?

Thanks.


#2

I’m having the same problem, and just like you, it’s only recently.

The first time I send the user to /oauth/authenticate with force_login = true, it uses the currently authorized account and THEN logs the Twitter account out (unexpected).

If I try to go through authentication again, I’ll have to log back in (expected).

I am also sometimes getting a “bad access token” error message when using force_login = true. I thought it may have been just me, but I actually encountered the same error when authorizing with this site! See the screenshot here.

Again, this is only recently this has been happening. I don’t see any changes referenced in the docs; what’s up?


#3

Sorry for the trouble, and thanks for bringing it up.

Do you happen to have a site we could test/reproduce with? Would be tremendously helpful.

Thanks!


#4

@rchoi Thanks for looking into this. Is there a way to private message you a link where you can reproduce? I’d rather not post it publicly


#5

Hit this URL:

https://dfw.therenow.co/twitter/login?force_login

It will initiate an Oauth authenticate with force_login set and you will see the problem. (Note, it will then redirect to a marketing website and show an error in the case of an unknown user – that’s expected so don’t be surprised by that.)

The first time, it will authorize your currently logged in account (without reauthenticating you as requested by force_login) and then will log you out as it returns you to the app.

The second time, you are forced to log in - because you are now logged out.


#6

Thanks for that link @Data_Bakery - confirmed, that is the exact same issue I’m experiencing as well with my Production site.

The code/flow we use for authorization hasn’t changed for several months, which leads me to believe it’s a Twitter issue.


#7

Same here - that code hasn’t changed in a while and we noticed this within the last week.


#8

With my quick testing force_login=true works as expected on GET oauth/authorize. For a quick fix switch to using this endpoint which you should probably be using anyways since GET oauth/authenticate is designed to reduce friction and that is negated by using force_login=true.

GET oauth/authenticate is respecting force_login=true for users that have never authorized the app before but existing users for the app seem to be ignoring the flag.


#9

Confirmed on my end, oauth/authorize works as expected with force_login=true. The issue is only with oauth/authenticate.


#10

Same here - oauth/authorize does work around it.

EDIT - changed the title of the thread to reflect it’s /oauth/authenticate only


#11

Thanks for this, guys. Really appreciate the detail. Will send along updates to my team and reply here.

(Sorry for the delay as well; have been travelling a bit. :P)


#12

Thanks for the repro URL. Will send over; please keep it this way for next 24 so we can use it to show eng.

Thanks!

=


#13

Please let us know when your research on it is done – we want to roll out a switch to /oauth/authorize ASAP if this isn’t going to be fixed soon.


#14

Understood. Will ping team now.


#15

FYI, we’ve switched over to /oauth/authorize.


#16

Sorry for the delay. We just released a fix; wondering if you’re able to test and ensure it’s working?

Thanks!


#17

Ok, we switched back and it appears to be working now.

Thanks for the quick turnaround of a fix!


#18