In the recent update to OAuth 1.0a, there were two critical changes required:
Web-apps should specify the oauth_callback
Through trial-and-error, I found that if you don't explicitly specify the oauth_callback when going through the authorization process, twitter will halt at the PIN page (behaving as if you are using a client application). That's easily fixed..
request_token = consumer.get_request_token( :oauth_callback => TWOAUTH_CALLBACK )
session[:request_token] = request_token.token
session[:request_token_secret] = request_token.secret
# Send to twitter.com to authorize
redirect_to request_token.authorize_url
NB: the root cause is that oauth 0.3.5 sets "oob" as the oauth_callback if you don't explicitly set it. This triggers the twitter desktop PIN flow.
Include the oauth_verifier when exchanging the request token for an access token
Next, the major change in 1.0a was to add an oauth_verifier parameter. Twitter sends this back to you after the user has authorized access, and you need to include this parameter when exchanging the request token for an access token.
request_token = OAuth::RequestToken.new(consumer, session[:request_token], session[:request_token_secret])
access_token = request_token.get_access_token( :oauth_verifier => params[:oauth_verifier] )
An example application
I've created a minimalist application that demonstrates the twitter API with OAuth 1.0a in rails. I've set this up to run at heroku.
The source is at github for all to share: http://github.com/tardate/rails-twitter-oauth-sample/tree/master
And there's a running demo site at http://rails-twitter-oauth-sample.heroku.com.