force_login on /oauth/authenticate not working?


We’ve been using force_login as (documented on both GET oauth/authenticate and GET oauth/authorize) and it suddenly stopped working a couple of days ago. Now, force_login seems to be ignored and always uses the currently authenticated account.

Anybody aware of what is going on? Or maybe a suggestion as to what we might have done to trigger this?



I’m having the same problem, and just like you, it’s only recently.

The first time I send the user to /oauth/authenticate with force_login = true, it uses the currently authorized account and THEN logs the Twitter account out (unexpected).

If I try to go through authentication again, I’ll have to log back in (expected).

I am also sometimes getting a “bad access token” error message when using force_login = true. I thought it may have been just me, but I actually encountered the same error when authorizing with this site! See the screenshot here.

Again, this is only recently this has been happening. I don’t see any changes referenced in the docs; what’s up?


Sorry for the trouble, and thanks for bringing it up.

Do you happen to have a site we could test/reproduce with? Would be tremendously helpful.



@rchoi Thanks for looking into this. Is there a way to private message you a link where you can reproduce? I’d rather not post it publicly


Hit this URL:

It will initiate an Oauth authenticate with force_login set and you will see the problem. (Note, it will then redirect to a marketing website and show an error in the case of an unknown user – that’s expected so don’t be surprised by that.)

The first time, it will authorize your currently logged in account (without reauthenticating you as requested by force_login) and then will log you out as it returns you to the app.

The second time, you are forced to log in - because you are now logged out.


Thanks for that link @Data_Bakery - confirmed, that is the exact same issue I’m experiencing as well with my Production site.

The code/flow we use for authorization hasn’t changed for several months, which leads me to believe it’s a Twitter issue.


Same here - that code hasn’t changed in a while and we noticed this within the last week.


With my quick testing force_login=true works as expected on GET oauth/authorize. For a quick fix switch to using this endpoint which you should probably be using anyways since GET oauth/authenticate is designed to reduce friction and that is negated by using force_login=true.

GET oauth/authenticate is respecting force_login=true for users that have never authorized the app before but existing users for the app seem to be ignoring the flag.


Confirmed on my end, oauth/authorize works as expected with force_login=true. The issue is only with oauth/authenticate.


Same here - oauth/authorize does work around it.

EDIT - changed the title of the thread to reflect it’s /oauth/authenticate only


Thanks for this, guys. Really appreciate the detail. Will send along updates to my team and reply here.

(Sorry for the delay as well; have been travelling a bit. :P)


Thanks for the repro URL. Will send over; please keep it this way for next 24 so we can use it to show eng.




Please let us know when your research on it is done – we want to roll out a switch to /oauth/authorize ASAP if this isn’t going to be fixed soon.


Understood. Will ping team now.


FYI, we’ve switched over to /oauth/authorize.


Sorry for the delay. We just released a fix; wondering if you’re able to test and ensure it’s working?



Ok, we switched back and it appears to be working now.

Thanks for the quick turnaround of a fix!