It is reproducible. Just have valid an access token then go through /oauth/authenticate with force_login=true and hit cancel. The access token will no longer be valid.
I would not expect hitting "cancel" to revoke my access token while I would expect hitting "deny" to revoke my access token. I feel like this is just an oversight on Twitter's part that they have multiple buttons that perform the same action but are presented differently. Corey: Access tokens are application specific so unless 10+ web applications are all sharing the same consumer key/secret only the single application the user is currently authenticating with will have an invalidated access token. Abraham ------------- Abraham Williams | Hacker Advocate | abrah.am @abraham <https://twitter.com/abraham> | github.com/abraham | blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Mon, Dec 27, 2010 at 06:46, Corey Ballou <ball...@gmail.com> wrote: > I concur with David on this one. I didn't take the time to verify > this scenario myself, but it does seem like it's a problem. Consider > the following scenario: > > 1. A user has whitelisted 10+ web applications using their > credentials. > 2. The end user has no knowledge of what an access token is or what it > entails. > 3. The end user is forced to login using force_login to my > application. > 4. The end user hits "Cancel" during the authentication process. > 5. The user's access token changes, revoking their access for all 10+ > web applications. > > I guess the kicker is whether or not this is reproducible. If it is, > this would seem to be a problem. Perhaps there is a workaround? > > On Dec 23, 11:58 am, David <dtran...@gmail.com> wrote: > > I feel like this isn't the expected behavior if a user hits "Cancel" when > > you authenticate with force_login=True - if start typing in another > > username, then hit cancel, it shouldn't revoke the access token for the > > currently authenticated user. > > -- > Twitter developer documentation and resources: http://dev.twitter.com/doc > API updates via Twitter: http://twitter.com/twitterapi > Issues/Enhancements Tracker: > http://code.google.com/p/twitter-api/issues/list > Change your membership to this group: > http://groups.google.com/group/twitter-development-talk > -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
