Re-authenticating with increased permissions




I have the following scenario, I’ve created an app with the only the “Read and Write” permissions, have some users authenticated to it, later on I’ve changed the permissions to “Read, Write and Access direct messages”, when I prompt users to re-authenticate they still remain only with the “Read and Write” permissions.

Only if the end user go to his own apps section on Twitter and revoke the access to the app then re-authenticate, then I’m getting the desired “Read, Write and Access direct messages” permissions.

am I missing something here? How can I prompt the user to get the extended permissions without having him to revoke the app?


You can use x_auth_access_type to upgrade from read to read and write permission, but you cannot upgrade to those + Direct Messages.

It sounds as though your app is probably re-using an existing token that was granted before you increased the access permissions. You could force a reauthentication by adding force_login=true to the authenticate endpoint. That would cause a new token to be granted with new permissions once the user has accepted the new access grant.


Still no luck, I’m direct the user to oauth/authenticate with force_login=true, the user is prompted for his username and password and the screen shows the extended permissions:


after the user submit the details and redirect back to my site, his permissions still remains on the basic level:


*notice that the “Approved” date havent changed.

any thoughts?


@andypiper could this issue be related specifically to our app?


I haven’t had the time to attempt to reproduce this today, so I’m unable to confirm. I’m surprised that the permissions are not updating, if the token is being refreshed with the new auth flow; and I don’t remember coming across a case of something like this as isolated to a specific app.

It definitely seems like the new permissions are not being applied, but at the moment I’m not sure why that could be. I’ll see what I can discover but I’m unable to provide an eta on an update at this time.


Got it, will appreciate your closer look when you get to it :slight_smile: it’s causing us some issues with our users.


Hi @andypiper his issue still happens, any chance you can give it a second look? We actually noticed that sometimes (not always) the tokens are identical, despite the request being in the new auth flow. Perhaps this can give a hint about what’s going on?