I finally figured out how to reproduce this:
- Log into Twitter with my user account. Make sure I check Remember me.
- Run a sample app to perform a normal Web OAuth authentication.
- Normally, the authentication screen indicates that I am logged in and I would only see the Authorize button. However, in this case I see an authorization screen that asks for Username and Password with no indication that I’m already logged in.
- I fill in Username and Password and click Authorize App.
- I receive “403 Forbidden: The server understood the request, but is refusing to fulfill it.” in response to POST https://api.twitter.com/oauth/authorize HTTP/1.1.
If I log out of my Twitter account, I can authorize with no problem. Also, If I’m logged in, but haven’t clicked Remember me, then everything works fine.
Also, this works for ASP.NET MVC, but not ASP.NET Web Forms. They both use the same exact code to build the OAuth signature. Tracing the HTTP traffic, the only difference in the signatures I send to you is that ASP.NET Web Forms (the example with the problem) has a callback url that ends with “.aspx”. The other example contains a friendly URL that doesn’t indicate a file with a suffix and it works fine. The cookies (keys) also appear to be different between request types.