When passing force_login=true to /oauth/authenticate and the user already has a valid access token the user is not redirected to the callback but is instead remains on the /oauth/authenticate page.
If the user does not already have a valid access token the process works as expected. The flow to reproduce is as follows:
- User clicks “Add Twitter Account” on the app
- User is sent to https://api.twitter.com/oauth/authenticate and is presented with a login form
- User enters credentials and clicks the “Sign In” button
- User is redirected back to app via the callback URL and the process completes normally
Now, to encounter the bug:
A) After completing steps 1-4 above, the user clicks “Add Twitter Account” on the app
B) User is sent to /oauth/authenticate and is presented with a login form
C) User enters the same credentials and clicks the “Sign In” button
D) User returns to /oauth/authenticate. There is no indication of any error and there is no change to the page except that the upper right of the page shows the user’s screen name instead of “Sign up for Twitter”.
If the user revokes the token for the app and repeats steps 1-4 above the process will complete normally. The failure, remaining stuck on /oauth/authenticate, only occurs when the user already has a valid access token for the app.
Is this a know issue and is there an ETA for resolution? Or is there a workaround?
Our application helps users manage multiple twitter handles. It is not safe to authenticate without “force_login” because it is too easy to authorize using the wrong account.