Callback url 127.0.0.1 can not be recognized by twitter

oauth

#1

Hi I met a problem with request token from twitter.

I send this request:
POST https://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
User-Agent: MSTRWebService/libcurl
Accept: /
Authorization: OAuth oauth_callback=“http://127.0.0.1”,
oauth_consumer_key=“hl_____________________d”,
oauth_nonce=“15480557913a4”,
oauth_signature=“fFv%2F___qhEU%3D”,
oauth_signature_method=“HMAC-SHA1”,
oauth_timestamp=“1548055791”,
oauth_version=“1.0”
Content-Type: application/x-www-form-urlencoded

but get error response with message “401 unauthorized.”

We are wondering if 127.0.0.1 or localhost is a valid callback url in twitter side? Will twitter do some verification for callback url?

After we change the url to to a meaningful url : like https://localhost:8443/webapp?a=b , it succeeds to get token back.
But we still have some concerns with the new url. Could you please give some suggestion for callback url?


#2

Did you set the callback url of the app in the developer dashboard?
It needs to exactly match the url you are calling


#3

Yes, I set http://127.0.0.1 in the twitter dashboard.


#4

But that’s not the URL you are calling. You need to enter:
https://127.0.0.1/webapp or whatever you are calling


#5

currently, in twitter developer dashboard, we set the callback url as
http://127.0.0.1

In the authentication stage, in the request body if the callback url parameter is set as:

  1. http://127.0.0.1
    we will get the response error 401

response body:
{
“errors”: [{
“code”: 32,
“message”: “Could not authenticate you.”
}]
}

  1. http://127.0.0.1?a=1
    it can authenticate successfully.

We found that only when callback with query parameter can authenticate successfully no matter what the query parameter is. Is it by design?

@jrsyo


#6

It is weird that you are calling the root like that. That server must be doing things other just authenticate your app

Try http://127.0.0.1/ but ideally you have some path


#7

To summarize, we tried three cases:
Case 1:http://127.0.0.1, failed
Case 2:http://127.0.0.1/?a=1,failed
Case 3:http://127.0.0.1?a=1,succeed

Two questions:
1.Does query parameter(?a=1) matter the authentication result?
2. Does slash make any difference?

@Connexinet @jrsyo Thanks.


#8

@xni

Yes, I set http://127.0.0.1 in the twitter dashboard.

After we change the url to to a meaningful url : like https://localhost:8443/webapp?a=b 2 , it succeeds to get token back.

What does that mean? You can set http://127.0.0.1 to your callback URLs in your Twitter app’s configuration. See: https://developer.twitter.com/en/docs/basics/apps/guides/callback-urls

1.Does query parameter(?a=1) matter the authentication result?

I don’t think so. I feel it’s a matter of your application that is running on your local machine which makes differences.

2.Does slash make any difference?

What do you mean? Slash for what?


#9

@jrsyo
Let us forget above sessions and keep the question simple:
In my request header
(OAuth 1.0 step 1 request token,
https://developer.twitter.com/en/docs/basics/authentication/overview/3-legged-oauth ),

if oauth_callback= http://127.0.0.1 I can not succeed authentication but if oauth_callback= http://127.0.0.1?a=1 I can succeed authentication. And in both cases I set http://127.0.0.1 in my developer dashboard.

So I think ?a=1 have some influence on the result, right?


#10

@xni

Have you tried debugging for your local application? Based on your results, yes, the query string is affecting somehow but I don’t believe that’s our problem.


#11

@jrsyo

After tried many times, we think callback url sent to Twitter must be appended with query parameters. Otherwise Twitter will return 401 error.

It is better for you to confirm it with Twitter engineers. Thank you.

my request:
POST https://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
User-Agent: MSTRWebService/libcurl
Accept: /
Authorization: OAuth oauth_callback=“http://127.0.0.1/",oauth_consumer_key=“57oaZTchyeMFeRAKwIzxItVDI”,oauth_nonce=“1550483981101”,oauth_signature=“6AApe%2BkXN0rocu59fqovMnc0wZ4%3D”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1550483981”,oauth_version="1.0
Content-Type: application/x-www-form-urlencoded

my response:
HTTP/1.1 401 Authorization Required
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
content-disposition: attachment; filename=json.json
content-length: 64
content-type: application/json; charset=utf-8
date: Mon, 18 Feb 2019 09:59:20 GMT
expires: Tue, 31 Mar 1981 05:00:00 GMT
last-modified: Mon, 18 Feb 2019 09:59:20 GMT
pragma: no-cache
server: tsa_b
set-cookie: personalization_id=“v1_Q0uV2jdUXxrDiVOVYnja1g==”; Max-Age=63072000; Expires=Wed, 17 Feb 2021 09:59:20 GMT; Path=/; Domain=.twitter.com
set-cookie: guest_id=v1%3A155048396069960503; Max-Age=63072000; Expires=Wed, 17 Feb 2021 09:59:20 GMT; Path=/; Domain=.twitter.com
status: 401 Unauthorized
strict-transport-security: max-age=631138519
www-authenticate: OAuth realm=“https://api.twitter.com
x-connection-hash: ff594e5694f4eb70aa7d300cebaf68a2
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-response-time: 8
x-transaction: 00bde863002c871f
x-twitter-response-tags: BouncerCompliant
x-xss-protection: 1; mode=block; report=https://twitter.com/i/xss_report

{“errors”:[{“code”:32,“message”:“Could not authenticate you.”}]}


closed #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.