User redirected to Twitter home page on authentication

oauth

#1

A user of our application reports they are unable to sign in with Twitter. The application correctly redirects their browser to the Twitter authentication page. They’ve copy/pasted the URL they land on into a help request. The oauth_token parameter is correct, i.e., it matches the token we stored on our end. Here’s an example from one of their attempts.

https://api.twitter.com/oauth/authenticate?force_login=true&oauth_token=pVGcxAAAAAAAAVKGAAABZ6yqyM0

After entering their username and password, they are redirected to their Twitter homepage, rather than back to the application as expected.

With over 500K accounts created successfully, 70 in the past 24 hours, this is the only user I’m aware of encountering this issue.

The user was apparently successful in the past because the application was listed in their Twitter settings. But they must have deleted their account in our application because we have no access tokens stored for them.

They revoked the old tokens and re-tried with the same result: a redirect to their Twitter homepage. And, of course, the application no longer appears in their Twitter settings because without redirection back to the application, we’re unable to complete the 3-way authentication.

Any idea how we can track down the problem and resolve it?

-Marc


#2

Hi @semifor is there anything particular about this user? Do all of your auth redirects use the force login?


#3

I haven’t found anything unusual about this user.

Our app ID is 86662. The user’s Twitter ID is 1358898559.

We use force_login when a customer is attaching a Twitter user to an existing application account. Subscribers can manage multiple Twitter accounts with a single application account, so we use force_login to ensure they add the intended account, which may not be the one they’re logged into.

For our free accounts, we use Twitter login without the force_login parameter because those accounts are 1-to-1, application to Twitter account and the login experience is better without the forced login.

I’ve run through this multiple times with some of my own Twitter accounts and haven’t experienced any issues. Nor have we received reports from others about it (though that doesn’t necessarily mean there others aren’t encountering it).

Maybe with the App ID and User ID you can spot something unusual that explains it.

-Marc


#4

Some troubleshooting tips that come to mind would include removing the force_login, having them try an incognito window, or switching the Twitter versions (iOS, Android, browsers, versions) that they might be using, perhaps even clearing their cache.

The only ways an access token could be revoked is either by the user revoking your applications access or if your application uses the invalidate_token method.


#5

The user’s browser is Microsoft Edge. They are able to log in to other third-party Twitter apps. And they were able to authorize our app in an InPrivate window.

So, there seems to be some cached state related to our app and api.twitter.com in their browser.

Is there anything the user should check to provide feedback before I suggest they clear their cached state?

-Marc


#6

You are good to go with the suggestion to clear the cache. Thank you for the additional information. I will make sure to pass this information along.


#7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.