Invalid oauth_verifier parameter

LyapunovAlexand · 2015-05-30T19:05:07.544Z

I am implementing oauth by Java with folowing sequence:

Sending POST https://api.twitter.com/oauth/request_token (with callback)
Twitter reponse contains oauth_token, oauth_token_secret and oauth_callback_confirmed=true
Redirecting to https://api.twitter.com/oauth/authenticate?oauth_token={oauth_token from previous response from twitter}
Twitter login form appears, I click on the button “login”.
Twitter redirects to {callback_url}?oauth_token={this token equals token from oauth/request_token response}&oauth_verifier={verifier}
POST https://api.twitter.com/oauth/access_token
with Oauth header includes oauth_token, message body contains oauth_verifier={returned verifier}
Twitter response=Error processing your OAuth request: Invalid oauth_verifier parameter

What is wrong with oauth_verifier?

andypiper · 2015-06-01T14:50:23.139Z

I’m not sure exactly what your issue is - I can recommend you take a look at Twitter4J which is a very popular third-party Java client for the Twitter API, to see how it implements OAuth.

wilhelmklopp · 2015-07-03T12:04:46.871Z

I seem to have a similar issue. Did you find a solution in the end?

juanjodlt · 2015-07-07T16:09:39.533Z

Hi @LyapunovAlexand @andypiper @wilhelmklopp, in our site we experienced the same issue a couple of days ago. We re-checked all the REST API documentation and our code and everything was OK.
What I did to solve this was to send the oauth_verifier parameter as a header param not as a body/post param and now is working good.

It seems is a Twitter bug in their documentation https://dev.twitter.com/web/sign-in/implementing (on STEP3) or in their code.

hope we get some insights about this from the Twitter staff

wilhelmklopp · 2015-07-07T16:45:26.957Z

@juanjodlt That worked! Wow, the docs really need an update…

Thank you so much

abraham · 2015-07-07T17:01:20.441Z

TwitterOAuth is passing oauth_verifier in the body of a POST request just fine. I’m guessing there might be some other encoding/signature error going on.

Steve · 2015-09-18T08:28:41.353Z

Twitteroauth has been working on my site but my users just started complaining the past week it is not working when they try to login with Twitter. I found there is a ‘invalid oauth verifier parameter’ when requesting for the access token after the user authorization callback from Twitter. I updated the library with the latest master from git and I am still seeing the same error. Can you please help?

This is a debug dump:

The Authorization header:
string(348) “Authorization: OAuth oauth_version=“1.0”, oauth_nonce=“c0243992c4cdc7be81db51539c8a2b73”, oauth_timestamp=“1442564353”, oauth_consumer_key=”…", oauth_token=“dIEhcQAAAAAAeIQEAAABT9-I1IY”, oauth_verifier=“wAbSlC7wGDOa6IztGzl0dGMfgmgAgRQx”, oauth_signature_method=“HMAC-SHA1”, oauth_signature=“UPNEmlCVA8%2B6d4o5ejw7KM7azpI%3D”"

Options:
array(14) { [41]=> bool(true) [10065]=> string(74) “/var/www/html/wp-content/themes/make-child/Abraham/TwitterOAuth/cacert.pem” [78]=> int(5) [42]=> bool(true) [10023]=> array(3) { [0]=> string(24) “Accept: application/json” [1]=> string(348) “Authorization: OAuth oauth_version=“1.0”, oauth_nonce=“c0243992c4cdc7be81db51539c8a2b73”, oauth_timestamp=“1442564353”, oauth_consumer_key=”…", oauth_token=“dIEhcQAAAAAAeIQEAAABT9-I1IY”, oauth_verifier=“wAbSlC7wGDOa6IztGzl0dGMfgmgAgRQx”, oauth_signature_method=“HMAC-SHA1”, oauth_signature=“UPNEmlCVA8%2B6d4o5ejw7KM7azpI%3D”" [2]=> string(7) “Expect:” } [19913]=> bool(true) [81]=> int(2) [64]=> bool(true) [13]=> int(5) [10002]=> string(42) “https://api.twitter.com/oauth/access_token” [10018]=> string(40) “TwitterOAuth (+https://twitteroauth.com)” [10102]=> string(4) “gzip” [47]=> bool(true) [10015]=> string(47) “oauth_verifier=wAbSlC7wGDOa6IztGzl0dGMfgmgAgRQx” }

Response:
string(1511) “HTTP/1.1 401 Authorization Required cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 content-encoding: gzip content-length: 93 content-security-policy: default-src ‘none’; connect-src ‘self’; font-src …/i/csp_report?a=NVQWGYLXFVWG6Z3JNY%3D%3D%3D%3D%3D%3D&ro=false; content-type: text/html;charset=utf-8 date: Fri, 18 Sep 2015 08:19:28 GMT expires: Tue, 31 Mar 1981 05:00:00 GMT last-modified: Fri, 18 Sep 2015 08:19:28 GMT ml: S pragma: no-cache server: tsa_a set-cookie: guest_id=v1%3A144256436841283344; Domain=.twitter.com; Path=/; Expires=Sun, 17-Sep-2017 08:19:28 UTC status: 401 Unauthorized strict-transport-security: max-age=631138519 www-authenticate: OAuth realm=“https://api.twitter.com” x-connection-hash: 5a9bbf869593d46b372f36f1d374080f x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-response-time: 232 x-transaction: 9acc051f6c72e75d x-tsa-request-body-time: 1 x-twitter-response-tags: BouncerCompliant x-ua-compatible: IE=edge,chrome=1 x-xss-protection: 1; mode=block Error processing your OAuth request: Invalid oauth_verifier parameter”

abraham · 2015-09-18T15:48:22.540Z

What does the code look like that is actually making the oauth request for the access_token?

Steve · 2015-09-18T17:28:48.428Z

I’m following your example but with $_GET. I did verify the oauth_verifier is the one returned by Twitter.

$access_token = $connection->oauth("oauth/access_token", array("oauth_verifier" => $_GET['oauth_verifier']));

abraham · 2015-09-18T17:44:44.221Z

One thing to check is that the each oauth_verifier is only getting called once. If you happen to call the method twice it’ll throw an error.

Steve · 2015-09-19T00:30:11.035Z

Yes, it is only called once according to the flow. I noticed there is a oauth_verifier in the oauth/access-token request header and body, why is this necessary? I googled but can’t find the definition of ‘invalid oauth verifier parameter’, can you help?

Thanks!

abraham · 2015-09-19T05:15:45.544Z

In my test everything works fine. I’ve also found that trying to use the same oauth_verifier token twice in a row results in the error This feature is temporarily unavailable so that shouldn’t be the problem. In fact the only time I got the error `` is if I changed the actual oauth_verifier token (e.g. added some characters). My recommendation is to audit the path to make sure the oauth_token in the query string in the HTTP redirect from twitter is exactly what is being sent to Twitter when asking for the access_token.

Sample request headers:

* Connected to api.twitter.com (199.59.150.41) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: api.twitter.com
* Server certificate: VeriSign Class 3 Secure Server CA - G3
* Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5
> POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
User-Agent: TwitterOAuth (+https://twitteroauth.com)
Accept-Encoding: gzip
Accept: application/json
Authorization: OAuth oauth_version="1.0", oauth_nonce="ff5aaab27b5562e27137ccbccb057256", oauth_timestamp="1442639042", oauth_consumer_key="awJfND4zFGapGOFKfdjg", oauth_token="-7D42wAAAAAAABtaAAABT-P70Vg", oauth_verifier="0hjpzjH5JJ46IH0fgblRtoVUFkeKoHf4", oauth_signature_method="HMAC-SHA1", oauth_signature="50kPtHSUa9Siafd9EWYZV4Cwquc%3D"
Content-Length: 47
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 47 out of 47 bytes
< HTTP/1.1 200 OK

Steve · 2015-09-19T15:23:35.963Z

Abraham, we finally found the problem is due to a bug in our code that sends the wrong oauth_token in certain cases in the access_token request. Thank you for your time in helping to look into this and your excellent work on the oauth library.

andypiper · 2015-09-20T22:49:34.689Z