Oauth/authenticate keep asking permissions everytime


#1

Good day!

I’ve created a web app with “Read, write, and direct messages” permissions and I have a problem with “Sign In with Twitter” (oauth/authenticate) flow: this method keep asking users for permissions (with popup window and button “Sign In”) everytime, when they try to login and below “Sign In” button I see this: “This application will not be able to: Access your direct messages.”! How this is possible?! https://dev.twitter.com/docs/auth/sign-in-with-twitter directly says, that if user already authorized application then twitter.com redirects him to application immediately!

BUT! More strange things:if user logged in with basic OAuth flow (oauth/authorize) first (no mistakes in permissions signs here) and then, in subsequent login requests I redirect him to “Sign In with Twitter” flow (oauth/authenticate) this method starts to work correctly and do not asking for permissions - it just redirects user to my web app without any popup windows.

Maybe there is some mistakes in logic of my app, or this is normal behavior of this methods?


#2

Hi @AlexandrFox,

The oauth/authenticate method is not capable of permissioning “read, write, and direct messages” permissions. You’ll need to use oauth/authorize when authenticating a user for the first time to obtain tokens at that level.


#3

@episod I currently use oAuth/Authorize and still it comes up with No access to Direct Messages. I don’t know how to fix this?


#4

Is your application configured with the Read, Write, & Direct Messages permission before you’re going oauth/authorize? Are you sending any additional parameters to the oauth/request_token step that might be requesting downgraded tokens?


#5

How do we tell oAuth/Authorize to simply “pass the user through” if they already have permissions?

I don’t understand why Twitter would ask them to re-authorize if they’ve already authorized at the requested level.


#6

Configuration options to solve this: http://stackoverflow.com/q/8262479/537036


#7

If I revoke access for the app using https://twitter.com/settings/applications presumably the app needs to use oauth/authorize once more before reverting to oauth/authenticate?

It seems hard for the OAuth Consumer to know which one to use, when aiming for “no User interaction if she’s logged in to Twitter & has previously authorised the app”.

I second @BitzBlitzer’s comment below. Or I’d prefer oauth/authenticate to fail under these conditions & redirect to the Consumer’s url with some meaningful error code - then the Consumer could redirect to oauth/authorize instead.

Please update https://dev.twitter.com/docs/api/1/get/oauth/authenticate with this information. (There’s also a typo or conversion error there: “for applications using the You do not have access to view this node authentication flow”.)


#8

Thinking about this some more…

Are you saying that if the app has “read/write/DM” permissions and the user hasn’t granted access via oauth/authorize then oauth/authenticate (a) always asks the user to grant access & (b) doesn’t grant the DM permission for the access token?

If so then the Consumer could test access token permissions after oauth/authenticate & if DM isn’t present redirect to oauth/authorize… but it’s not a very nice user experience.


#9

Thanks!


#10

https://wick.origo:dessyng/a ~ ~ ~ ~ = = = v-v-v # # //


#11

i am trying to access direct messages ,each time i authorize it needs me to enter verifier provided by twitter ,is there any way i can access DM only by authorizing once


#12

Hi. So what’s solution for “Signin with Twitter”. How can i know it’s first time authentication???