This is referred to as a 3 legged oAuth because there are 3 things you need to do.
#1 when they click on sign in with twitter:
you need to get a url from twitter, and you need to get two pieces of info you need to save:
A request token, and a token secret (these are just temporary and are only needed for step #3)
#2 your callback url
twitter passes data back to your callback url after the ? which includes oauth_token and oauth_verifier (or will tell you the request was denied).
#3 getting the keys for your application to access their twitter account
you need to pass 3 things to twitter to get the keys: the two things you saved from step #1 and oauth_verifier from step #2
Then twitter will return the two keys needed to access their account and then and only then, will their twitter account show that your application is authorized to access their twitter account. Now keep in mind that they can remove access to your application at any time and these keys will no longer work if they do.
To access their account you need the keys returned from step #3 and your developer keys which you got when your created your application in the developer area.