Cookies and OAuth Redirect


#1

We have OAuth working for our application, but have run into a strange error with cookies. If a user is required to authenticate a second time, they are being redirected to a broken link, rather than our callback url.

The broken URL looks like this (with token and verifier removed, obviously):
https://api.twitter.comglu-oauth-twitter//callback?oauth_token=token&oauth_verifier=verifier

The correct URL (where we are redirected to successfully the first time) should be:
glu-oauth-twitter://callback?oauth_token=token&oauth_verifier=verifier

Our auth process is standard:

  1. Set consumer keys and get request token.
  2. Send user to the authentication URL.
  3. After user grants permission, send POST with verifier.

We’re able to get our auth tokens successfully the first time around. The problem occurs the second time. On user logout, we destroy their saved auth tokens. If a user then logs back in and wants to use a Twitter feature, they must go through the oauth process again. However, when we send the user to the authentication URL, they are immediately redirected to the broken URL.

From what we can tell, it seems to have to do with the browser cookies. We have tried this on both mobile and standard browsers, and both have the same broken redirect. If we clear cookies, the user is once again required to log in and everything functions properly.

For some reason it seems that when a user’s credentials are pulled from a cookie, the callback redirect is somehow tacked on as a relative path rather than as an absolute. In fact, we can authenticate properly using the exact same request URL as soon as we clear cookies. Are we missing something else that could cause this behavior?


#2

Note: This is happening only with the authentication url, not the authorization url, which we have switched to for now.