No request token for this page


#1

Hello

Since this morning, users face a problem trying to connect to my website with Twitter OAuth
The problem occurs for users that have many twitter accounts.

when they arrive on the twitter authorizatin page (https://api.twitter.com/oauth/authorize?oauth_token=M65dkAAAAAAAeoLPAAABU_Scfew), they use the top right icon to disconnect the current Twitter account, enter their login/pass to connect with the wanted Twitter account

And then they get the error “There is no request token for this page” whereas it was working fine yesterday…

Doing some tests, it appears that if you disconnect the current twitter account on the authorization page and reconnect with the same one, everything goes OK

The problem is really at changing from Twitter account on the authorization page

Can you reproduce the problem ? (and fix it … ?)

Thanks


#2

Apologies. There was a temporary change on our side that may have caused an issue here - hopefully things are back to normal now.


#3

Things were back to normal as you answered but they are again broken from tonight :frowning:


#4

You may have noticed that we had a short service disruption a few hours ago - I’m guessing this could be a knock-on effect while things return to normal.


#5

2 days after and the problem is still there. Any indication on when it will be fixed?


#6

Ironically, I’m noticing the exact same problem trying to log in here to report.

Repro:

  1. Sign in on Twitter somewhere

  2. Go through a Sign in with Twitter login (for example this forum)

  3. On the Twitter auth page, select Sign Out

  4. Once signed out, put in the credentials for a different account, and hit Authorize.

  5. Error 403 and the error message is:

Whoa there!

There is no request token for this page. That’s the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.

I can provide the HAR dump on request.

The process works fine if you are not signed in when you get to the Twitter auth page. EDIT: It also works if you’re already signed in as a user and just reauthorize. So my app is definitely sending in the token correctly, just like it has been doing until this broke. It looks like somehow the sign out is either losing the app token, or then some combined token is invalidated when you sign out.

I have a sneaking suspicion this has something to do with the Sign In With Twitter changes that were made for Tweetdeck Windows EOL (and already broke using web Tweetdeck with SIWT).

@andypiper Any updates on this?


#7

And this problem is still occurring. Anybody know of any way of reaching somebody who can actually acknowledge the problem?


#8

More than one month that this problem exists… Is someone working on it??


#9

Hey @andypiper or anyone else, this problem still exists. It’s been two months. Sign In With Twitter is completely broken currently.

Any news?


#10

I’m sorry that this is so frustrating for you.

Clearly this is an issue for a couple of folks but I’ve not heard of it being a widespread problem so let’s see if we can find any commonalities:

  • can you share a link to a site where this is broken?
  • can you share any of your sign-in with Twitter code / what language, libraries or frameworks are you using in your apps?
  • what browsers does this occur in?
  • there’s mention earlier in this thread of this affecting a user switch rather than a fresh sign-in, can we narrow this down specifically?

re: TweetDeck, the only change I’m aware of is that now TweetDeck shares the main twitter.com cookie so that a user login can flow between both sites, I don’t think there is necessarily any relationship to the problem being described, but I can’t be sure.


#11

First, we can effectively narrow to the case of a user switch

The original problem I had, that was solved for a few days and then has appeared again is effectively when you come to Twitter authorization page https://api.twitter.com/oauth/authorize?oauth_token=M65dkAAAAAAAeoLPAAABU_Scfew, being already logged. If you log out from the top right menu of this page and fill in a new user ID / password, you get the “no request token for this page”

To give you request details, this happens on the website getwonderboard.com which is using PHP OAuth through Abraham library https://github.com/abraham/twitteroauth and it happens in any browser

But I am pretty sure that the problem is internal to twitter authentication, I made the test picking a website randomly in a google search : http://dabr.co.uk/ and I get the same problem


#12

OK yes I see - it does seem specific to logging out of Twitter and back in during an OAuth flow, which causes the token to vanish. I’ll see if I can learn anything about any recent change here.


#13

Interestingly though, I’ve just gone through the same process with another site, from an account with no 2FA to another one with 2FA, and the token was maintained. Curiouser…


#14

@andypiper My experience is every Sign in with Twitter page, too. It actually happens here on twittercommunity as well, although in that case it’s a little obscured because of the popup + second tab:

  1. Log out on twittercommunity
  2. go to twitter.com
  3. log in with an account that has not been authorized for twittercommunity
  4. come to twittercommunity
  5. click Log In
  6. click Sign Out in the popup window
  7. try to sign in with any other credentials in the new tab/window
  8. -> No Request Token error

The reason I mentioned tweetdeck was just because that change to how Sign Out works was made right around that time (it signs you out everywhere, which is really annoying for anyone with multiple accounts, but a slightly separate problem).

Edit: on my own site I’m using nodejs and passport-twitter, but I think this is an issue on the Twitter OAuth side.


#15

Any news on the resolution of this problem that is still there


#16

Typepad has also been having this exact same issue after it working for years. It appears that the oauth token cookie, if present, now takes precedent over the NEW oauth token provided in the query string of the uri to api.twitter.com/oauth/authorize?oauth_token=
If a user logged into Typepad yesterday via Twitter, logged out of Typepad, closed the browser, went to sleep, and now today, logs into Typepad via Twitter, they will get the now famous No Request Token because yesterday’s oauth token cookie is stale and used. Why does Twitter not use the oauth token in the query string?

What changed? This used to work just fine. Now unless a user manually clears cookies, it will fail every time. Users not happy.


#17

The problem seems to have been fixed at least on my site!