I am using Scribe (OAuth1.0) as a mechanism so that users can use their Twitter account to authenticate to my GWT/GAE application.

According https://dev.twitter.com/docs/auth/implementing-sign-twitter, there are 3 possible scenarios: a/ User is Signed in and approved. In this case, Twitter should redirect the user transparantly back to my application url, b/ user is Signed in but not authorize, or c/ user is Not signed in

When Twitter comes back to my application (the callback), I use the verifier parameter to read the user data from twitter, which I use to determine the user in my application.

All of this works fine except for the following:

Scenario a/ is not working for me. Eventhough the user has already authorized my application to read his user data, Twitter seems not to remember this, and asks again to authorize access. (scenario b/).

There are two URLs twitter offers for applications requesting an OAuth token: /oauth/authenticate and /oauth/authorize. When an application directs users to the authorize endpoint - Twitter will request the user to authorize the application EVERY time they log-in. The authenticate endpoint will request authorization once and then any subsequent log-ins to Twitter will seamlessly pass-through to the application callback. This is more traditionally known as "signing in with your Twitter account".

In Scribe, the default is authorize - to change this to authenticate you need 2 things:

1. Ensure the Allow this application to be used to Sign in with Twitter setting is checked in your Twitter application settings page.
2. In your application - when you specify the Scribe API class to use - instead of using org.scribe.builder.api.TwitterApi.class change this to org.scribe.builder.api.TwitterApi.Authenticate.class

Now your application will direct users to sign-in to the /oauth/authenticate endpoint and, if they have authorized your application at least once, they will just get passed through.

Edit: Additional documentation - https://dev.twitter.com/docs/api/1.1#102