Authentication fails with callback url


#1

Hello guys,
I’m literally going crazy here over this.

So I’m developing a web app in PHP to let users sign in with twitter. I’m stuck at step 1 of the documentation, basically when I send a GET request to oauth/request_token without oauth_callback I get a successful answer:

https://api.twitter.com/oauth/request_token?oauth_consumer_key=yZO1dddsFCQ6kFmwoiseQw&oauth_nonce=1356909970&oauth_signature=3MQ3ux1xwhh7q8p5%2Bww13dE6NCEo%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356909970&oauth_version=1.0

but when I add the callback url the authentication fails:

https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%2Ftest%2F&oauth_consumer_key=yZO1cBtdFddsrDDwoiseQw&oauth_nonce=1356910050&oauth_signature=ylpqpXhxmV1WBwyqpmS8itMh1m8%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356910050&oauth_version=1.0.

I’m using the querystring method. The url looks good to me (it reflects the same encoding of the documentation). Both the urls twitter.com and mine go through the same process to create the signature so I would exclude that since without my URL it works!
Could it be a wrong URL encoding in the query request?
Also the time on my server is correct and I added the callback URL in the app settings even though I read it doesn’t have to be the same.
By the way it also succeeds if I put “oob” or anything without “:” or “/” in oauth_callback.

Another thing, in the documentation I read about oauth_callback:

For OAuth 1.0a compliance this parameter is required. The value you specify here will be used as the URL a user is redirected to should they approve your application's access to their account. Set this to oob for out-of-band pin mode. This is also how you specify custom callbacks for use in desktop/mobile applications. Always send an oauth_callback on this step, regardless of a pre-registered callback.

So if it’s required how come my requests are successful without it?


#2

I really recommend using HTTP headers to avoid encoding issues with these methods. While in practice the rule of including an oauth_callback may not be enforced, by spec and documentation we require its presence. Not including it can result in issues for you in the future when the rule is more strictly enforced.

In the case of your issue, it’s likely that the escaping in your signature base string for the oauth_callback_url value may be slightly off.


#3

this is all retarted. lol i am stuck also.

Twitter Consumer Key: ( i got this )

Twitter consumer Secret: ( i got this

Twitter oauth Key: ( dont got this

Twitter oauth Secret: ( dont got that)

it just redirects them back to my site with out a login