>> I've found that this works, until the user tries to sign out or sign
>> up during the authorization; if this happens, they get a 404. If,
>> however, twitter.com is used as the host:
> I think this happens due to cookie. People sign in twitter.com. not in
> api.twitter.com. When a user already signed in, the cookie's domain is
Thanks for the suggestion. However, this is definitely
url/host/routing related, not cookie related.
(a) I can reproduce after clearing all cookies.
(b) The cookie api.twitter.com sets has .twitter.com as its domain.
(c) http://api.twitter.com/signup?oauth_token=<removed> yields a 404;
http://twitter.com/signup?oauth_token=<removed> does not.
(d) The issue is not that it doesn't remember the user, but rather
that the "sign out" and "sign up" links on the oauth page are broken
(lead to 404s).