Weird issue with /authenticate endpoint


#1

I’m facing a weird issue with OAuth and the /authenticate (Sign in with Twitter) endpoint. Let me try to describe what’s happening:

Recently we enabled “Sign In With Twitter” in our twitter app to be able to use the /authenticate endpoint and be able to sign the user in without asking her to grant access to our app at twitter every time. However, when a user that already authorized our app (before we enabled “Sign In With Twitter”) tries to sign in via our website, the Twitter website just displays a generic “something went wrong” error page when it was supposed to redirect back to our website. But if we use the /authorize endpoint instead (so the user has to actually grant access to the app again) it works. After that, the /authenticate endpoint works fine for that specific account (but not for others).

Is it possible that our twitter app was left in a weird state because we enabled “Sign In With Twitter” after we already had several users that authorized our app? I’m not sure if we’re doing something wrong at our side because there’s no error returned to us, the flow just stops at the generic “something went wrong” page when we use /authenticate but everything works as expected when we use /authorize.

Any help would be much appreciated. Thanks!


#2

I’m having the same issue.

After switching an app from Read-only mode to Read/Write, users that authenticated before the change get “something is technically wrong” instead of the authentication page.

It states below the app permission settings,

Changes to the application permission model will only reflect in access tokens obtained after the permission model change is saved. You will need to re-negotiate existing access tokens to alter the permission level associated with each of your application’s users.

However it left out that existing users will no longer be able to authenticate and refresh their tokens, or how to re-negotiate existing access tokens. We do not store access tokens long-term, which would IMO defeat the purpose of a limited access token.