Oauth with SMS /account/login_verification/sms BadSessionLoginVerification


App and authentication flow works fine when I do not have sms two factor enabled.

During the oauth authentication flow for an app I am encountering something odd that only happens when I enable requiring an authentication code.

When I submit the /oauth/authorize form with a correct username and password, the post is 302 redirected to /account/login_verification/sms with several querystrying parameters. (I also recieve a SMS code to my phone)

When the /account/login_verification page loads, it has the body:

You are being redirected.

Which then dumps me out to https://twitter.com/?login_verification_error=BadSessionLoginVerification

Let me walk through exactly what happens during the oauth steps:
(In step 1 I can’t post a pure header only request. The apps are adobe AIR based, which is really dumb and doesn’t allow a POST with empty body content)

  1. HTTPS POST to /oauth/request_token - Headers of Authorization: OAuth oauth_consumer_key=“MaJUy5wEHOYkRvcP0qidA”, oauth_nonce=“48a648db7b52e382c88e615c4acc0aab”, oauth_signature=“dVaAM5JoCh%2BX79UsRpCy9snUg%2Bw%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1371740854”, oauth_version=“1.0”

Body Content-Type: application/x-www-form-urlencoded

  1. I get a token back and do a HTTPS GET to https://api.twitter.com/oauth/authorize?force_login=true&oauth_token=PNf2LtUFvPzhq4B6H8m1z4W8k44DLJa89pyOdSClFs

  2. https://api.twitter.com/oauth/authorize loads showing the correct app information. I fill out the form and submit it. Works great if SMS verification codes are OFF.
    If SMS verification codes are ON: Redirects to GET /account/login_verification/sms?remember_me=false&redirect_after_login_verification=%2Foauth%2Fauthorize%3F%26oauth_token%3DPNf2LtUFvPzhq4B6H8m1z4W8k44DLJa89pyOdSClFs

  3. /account/login_verification page loads with: You are being redirected.

Any thoughts would be appreciated. This works fine with SMS authentication codes are not on. I’ve used SMS authentication codes with other apps doing an identical initial post to /oauth/request_token and the /account/login_verification page will actually load and allow PIN entry.