215 Bad Authentication Data for some users


#1

We’re using Abraham’s TwitterOauth library for PHP. It’s been running fine for over a year.

Today, one user kept getting 215 Bad Authentication Data errors for any API call we’d make after getting their token/secret.

$twitteroauth = new TwitterOAuth($arr_config['twitter_consumer_key'], $arr_config['twitter_consumer_secret'], $_SESSION['tw_oauth_request_token'], $_SESSION['tw_oauth_request_token_secret']);

	// Let's request the access token
	$access_token = $twitteroauth->oauth("oauth/access_token", array("oauth_verifier" => $_GET['oauth_verifier']));

	// need to set up new TwitterOAuth with the long-lived token/secret
	$twitteroauth = new TwitterOAuth($arr_config['twitter_consumer_key'], $arr_config['twitter_consumer_secret'],$access_token['oauth_token'], $access_token['oauth_token_secret']);
	// Let's get the user's info
	$user_info = $twitteroauth->get('account/verify_credentials');

$user_info contains only ‘errors’ for this 1 user (@MrsFPresents) - every other user we try is fine.
Same goes for other API endpoints we try for that account (e.g. ‘lists/list’)

I’ve looked through their account settings, and can’t see anything that stands out immediately as a possible cause.

Update: has just happened for another user, and comments from other devs below indicate it’s widespread. @andypiper - has something been released recently that may have broken the API?


#2

bump. Same problem here. We have our own lib (not Abraham’s TwitterOauth) but we are having the same issue. The “oauth/access_token” works for every account and we get a successful response with user id and screen name but the “account/verify_credentials” works for all but a few accounts. Code doesn’t change but the 215 error code pops up for a few users.


#3

We’re seeing this issue for what looks like 90% of new users. Any help is appreciated as our users effectively cannot sign up for our app


#4

This may be wider spread.

I’ve setup a new account and app for some bot work and can confirm that the keys on the new app do not work.

I can confirm that keys for a new app on a 7 year old account do work.

I’m using Twit on NodeJS, but that shouldn’t matter – issue seems to be at Twitter.

-BitA


#5

I was able to successfully authenticate after deleting and recreating the app and keys.

I tried that a few times earlier, but this time it actually worked.

-BitA


#6

I spoke a someone who works at Twitter. He doesn’t work on the API directly, but he said that team acknowledged that this is an issue and is working on a fix.

@brainintheass Unfortunately people with production apps cannot just delete & recreate the app & keys. Hopefully they rollout the fix soon.


#7

Hi all - apologies that I was offline overnight (in my timezone!) when this incident seems to have occurred.

Is this issue still occurring, or have things returned to normal? I’m checking internally on status of the rollback.


#8

We believe this issue should be resolved. Apologies for the inconvenience.

OK - still hearing reports of issues. Will continue to check in with the teams internally. Bear with us :grimacing:


#9

OAuth tokens that error out for me are 60 characters long, whereas tokens that are 50 characters succeed.


#10

Thanks for confirming. We are still working to understand where that interaction is causing the error.


#11

I just want to add that our customers are seeing this, too.


#12

Thanks - I’d spotted a couple of Twitterrific users mention it on Twitter and I’ve added this to our internal ticket on the issue. Apologies again. Are you able to confirm / narrow this down to a token length issue, or add any other information we may have missed? Thank you.


#13

I don’t have any additional info at the moment, but if I can gather something useful, I’ll let you know! Thanks for looking into it.


#14

Hey @jamesfzhang are you able to invalidate one of the 60 char tokens and login again to generate a 50 char token that works? Just working through some ideas here.


#15

(or any of those of you affected - what happens with a fresh login via the OAuth dance, rather than using a stored token?)


#16

@andypiper I’m not sure because I’m not experiencing this issue with my main account, but several users of my app are reporting it. I tried reproducing yesterday by creating a new account around 18 hours ago and was not able to log in (Twitter in iOS Settings says password combo is incorrect). I just retested with this account again and it’s still the case. I know that I’m entering the correct password. Does Twitter in iOS settings use OAuth?

For a brand new account that I just created now, I can OAuth successfully.


#17

@andypiper we’ve been having this issue here too. An interesting piece of information: when I try to “Revoke access” to the API application from my Twitter.com settings page (https://twitter.com/settings/applications), it “errors” out. Specifically, the button doesn’t change to “Undo revoke access”, and from inspecting the network traffic, I can also tell you that the AJAX POST request to “https://twitter.com/oauth/revoke” is getting back a 404, whereas when revoking other applications from the same page, I get a 200. Happy to supply you with HAR file representation of said requests!


#18

Current working theory is that a bunch of accounts created / auth’d in a small window yesterday have these longer tokens and that this is blocking their ability to finalise the auth on the API calls.


#19

Thanks - that’s weird - will add to the information we are tracking.


#20

I took the liberty of adding that HAR file to a private GitHub repo, and added you as a collaborator. There’s some cookie headers there I didn’t want floating around publicly…