Cannot remove callback url


#1

Hi. I need urgent help. I have mistakenly added a callback URL in the developer settings for our production app. The form does not allow resetting the URL to be blank - it just reverts it to the previous value.

This is now breaking our app as it is redirecting users to the wrong place - showing the callback URL page instead of a verification code.

We need to remove the callback URL ASAP. Please help.

Paul


#2

Set it to oob for “out of band”


#3

Thanks abraham, but the form validation insists on a valid URL so that doesn’t work.

It looks like this has been a probelm with this form for years and it has never been fixed. I’ve been a bit hasty and changed this for a production app - which is now broken until someone from twitter responds.


#4

During POST oauth/request_token specific oauth_callback=oob.


#5

abraham, this can’t be fixed in our code - it’s a desktop app that’s distributed to hundreds of customers, hardcoded to point to this twitter app.

The twitter app configuration must have a blank callback url, but the form just won’t let me revert it to blank.

I updated my original post to point out that this related to our production app - a silly mistake I know, but it wouldn’t be a problem if there wasn’t a bug in that settings form.


#6

You better get started rolling a new version of the app. Best case scenario if Twitter sees this post and rushes out a update might get this fixed in a week or two. You shouldn’t rely Twitter getting this prioritized and fixed though as it could take a while.

That will also make you compliant with the docs which specify:

the only difference being that the value for oauth_callback must be set to oob during the POST oauth / request_token call.


#7

Yes, we will consider enforcing oob in the oauth request in future.

The workaround for now, which was obvious and I should have seen earlier, is to relay the verifier to the user in a custom redirect page. The verifier is in the query sting as oauth_verifier. It’s not the numeric PIN that the twitter page shows, but it still works.

However, if anyone from twitter is reading this, please fix that bug in the settings form - it’s been there for years. Or please provide an explicit out-of-band option.


#8

Just ran into this issue. I now have to create a new Twitter app because I cannot remove the callback URL from the Settings page. Very annoying bug that’s apparently been around for quite some time now.


#9

I just made this mistake as well. Amazing that after several years and immense developer frustration Twitter has not fixed this issue, seriously??

The solution is to enter “oob” in your callbacl URL field in the settings form. If you make it blank, then it does not update it, but if you enter “oob” then it reverts to the pin method on validation.


#10

OMG, more than 3 years later this is still happening. Totally annoying.


#11

Can you be clear please on the exact issue you are describing given that a) this thread is 3+ years old and much has changed and b) we’ve just announced the requirement for all registered callback URLs to be whitelisted?

What code are you using, what error are you seeing and what is the status of your app configuration please?


#12

Of course:

  • Go to Twitter Application Management.
  • Select your application.
  • Go to Settings tab and then ‘Callback URLs’.
  • Click “Add a Callback URL” to add one or N new URLs.
  • Input the new URL(s) and click “Update Settings” right at the bottom of the form.

After this, whether you add multiple callback URLs intentionally or accidentally, there is no turning back! You can’t remove them to just 1 callback URL afterwards. You can’t even clean the whole Callback URL section out regardless of having the callback locking disable or not needing this functionality at all. In any case you will get “Error - Please make sure you have at least 2 callback URLs.” everytime you try to reduce the ammount of URLs to 1 or zero.

So, I guess that just like those developers in this very same topic 3 and 2 years ago, there’s nothing you can do, other than create a new twitter App.


#13

Multiple callback URLs is brand new functionality this week so this is something I can check on.

If you do NOT use sign in with Twitter then the callback URL should be irrelevant.


#14

So I just realized that you require whitelisted callback URLs because I was told by a user of our application that the Login with Twitter was broken. Ran into the same issue. Unreal that it has been this way for so long. It is saying " Error: Please make sure you have at least 2 callback URLs."

I only have one callback URL.

Anyway, in order to move past this issue, I added another URL even though it doesn’t exist, and I have the correct one in place as the first one in my callback URL list on the page. Saved the settings. Tried to login with Twitter into my application. Still doesn’t work.

This is a major breaking change for us. We have been an application that allows sign-ins with Twitter for years, but since you made the breaking change none of our users can login with Twitter anymore.

Also, it’s not clear what you mean by “whitelist”. Where is this? The Settings page doesn’t seem to have a whitelist section?

Please please please advise.

Thank you


#15

Ugh, I can imagine how annoying this must be for you, and I’m sorry you didn’t learn about this earlier. Let me try to help.

I’m surprised by the message about needing 2 callback URLs, as I’m not aware that this is something we enforce. Did you add an additional box in the application settings, but then not put text into it? I’ll definitely ask internally about this, because that’s a really unhelpful error message.

Does your code specifically include the callback URL when it calls the OAuth endpoint? That’s the key thing here - the URL you’ve listed on your app dev settings page, and the value that your code is sending on the API call, needs to match.

“whitelist” could also be read as “register” - we now need the value on the app dashboard, and the value the app uses, to match.


#16

Sorry for chiming in late here. I had a discussion with our product team about this.

There is a known irregularity with apps.twitter.com that we are aware of related to the requirement of 2 callback URLs.
This irregularity has been fixed in our new Twitter apps dashboard within developer.twitter.com. To be able to access this dashboard, you have to either have applied for a developer account or have an approved developer account.


#17

Andy, Thanks for your reply. We built our application before you needed approval. Do I have to go through the approval process now in order to fix this issue? Our users haven’t been able to login with Twitter for a while. Some of them only used Twitter to login. Is there any way you can look into it on your end and fix it for me if I give you our callback URL?

By the way, the correct callback URL is listed already. I had to add a fake one to account for the issue with requiring two of them. But still getting 500 errors when trying to login with Twitter.

Any help greatly appreciated.

Thanks,
Sam


#18

Unfortunately, we cannot make changes to your account on our end.

If you have the correct callback URL already listed, this process should be working properly. Please make sure that the callback URL listed in apps.twitter.com is the same as the one that you are using with your POST oauth / request_token request.

I do suggest that you apply for a developer account whenever you get the chance. It is a best practice to be very specific about your use case when going through the process.


#19

Thanks LeBraat,

I just applied for a developer account. A bit worried TBH. Our application is several years old and is used by serious journalists like @MillerMena @MichaelDWeiss and magazines like @Interpreter_Mag to create (write) stories. We use Twitter for login, and we also use your search api to allow users to search for tweets and pull them into their reporting. It’s about as legit a use-case as you can get. Truly hope we have no issues…

By the way, yes, the URL for the callback we are using is the one for our POST oauth / request token. But still getting 500 error upon callback.

Thanks again. Hopefully you’ll stick with me till we get this sorted out. Really appreciating your timely replies.

Regards,
Sam


#20

Where are you getting a 500 error? If your callback_url is incorrect you will get an error message when calling POST oauth/request_token but it will not be a 500 error and it will tell you that it’s an issue with the callback_url. If you are getting a 500 error when a user gets redirect to twitter.com to authorize or when they return to your site from authorizing it’s a different issue.