The granted permissions to DM are deleted unintentionally when logging in with Twitter

Look at this image. I wrote a description in the image. As explained in the image, before and after logging in to Twitter, the granted permissions to DM are unintentionally deleted. Can you tell me why this is happening?

This application has “Read, write, and Direct Messages” for several years.

Thanks

As a result, this application receives “This application is not allowed to access or delete your direct messages.” from today.
I know this announcement -> “Updates to app permissions: Direct Message write permission change”.

Thanks for getting in touch with us on this issue. I’m working with some folks internally on this and I’ll be sure to let you know if I hear anything further here.

While investigating the problem, I found that the following situations might be involved.
Time series (rough numbers)

10 years ago: I created this app and I created access token/secret for the account. There were still only Read and Read/Write permissions at this time.

5 years ago: Twitter created “Read/Write and DM” permission.

an announcement on 2019/08/17: Twitter made a change to require “Read/Write and DM” permission to create DM.

after that: I couldn’t create DM by using access token/secret I made before.
In the above situation, if I open the incognito window and try to login with Twitter, I encounter the situation as reported this issue.
Step 1: I open the incognito window and try to login with Twitter https://api.twitter.com/oauth/authenticate?oauth_token=xxx&lang=en . I can see English version page and I can find 10 messages.

Step 2: After I enter user name and password, I’m redirected to Japanese version page and I can find 8 messages.

The problem reported in this issue that I couldn’t create DM was resolved by re-authorizing the account after explicitly disabling the access token.
It is important to explicitly disable it, otherwise it seems that it will have the same permission (= old Read/Write) as before even if the app have Read/Write and DM permission and I login with Twitter again.
If it’s possible, I would like to make a request for modifying “having the old permission” behavior.

Hi @Joshini thanks for clarifying your resolution here. We’ve relayed the scenario around the English vs. Japanese list internally.
Technically however, the old access token for the user should not need to be explicitly disabled if the user has re-authorized access with the new permissions and a new access token is granted.
The old access token should be automatically revoked once the new one is granted. Note that access tokens previously created with different permissions keep the permissions granted at the time, and they don’t expire unless revoked by the user, by re-authorization, or revoked by the app through the API. Updating permissions is also not retroactive, any of your users that may still have RW based permissions will need to reauthorize.

Hi @Gadin , thanks for telling me the detailed specification about the token/secret. In the course of the investigation, I may have discovered a new problem.
Although this application has been specifying Read/Write with DM permission for a long time, about 1.3 percent of tokens/secrets created recently don’t have DM permission. This figure was calculated using more than 5,000 tokens/secrets created in August 2019.
I haven’t done any detailed investigation at this time, but as far as this application is concerned, this problem may have occurred since February 2016 or earlier.
I’d like to get your thoughts on it.

I have one more question.

Technically however, the old access token for the user should not need to be explicitly disabled if the user has re-authorized access with the new permissions and a new access token is granted.
To confirm what you pointed out, I tried to login with Twitter multiple times. However, if I didn’t explicitly invalidate the token/secret, none of the token, secret, or permission changed. The token/secret returned from the Twitter server remains the same string, and Read/Write permission remains Read/Write permission. I’ll confirm whether there are mistakes in my procedure or not. Could you tell me the technical meaning of the “re-authorization” you are saying? Here are the steps I tried:
1: Open the incognito window
2: Access http://myapp.com/sign_in
3: Be redirected to https://api.twitter.com/oauth/authenticate?oauth_token=XXX
4: Click “Authorize app” button
5: Be redirected back to my app

Did you try the authorize endpoint https://developer.twitter.com/en/docs/basics/authentication/api-reference/authorize.html

I believe the authenticate end point doesn’t re-authorize your app, it just takes whatever was authorized with in the past (unless you supply x_auth_access_type when you issue your request token)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.