OAuth 2.0 - Making requests on behalf of users with access_token provided by Firebase Auth

SebDugudae · 2022-04-07T19:54:36.830Z

Hello Twitter team!

I’ve setup Login via Twitter using Firebase Auth. This all works fine. Firebase handles the whole OAuth 2.0 flow, exchanging the authorization_token for an access_token. Firebase then returns my Twitter user’s details, together with the access_token.

I have assumed that this access_token can be used to make requests on behalf of my Twitter user. However, the following “DELETE Tweet” request fails

curl --location --request DELETE 'https://api.twitter.com/2/tweets/1392417123721033218' \
--header 'Authorization: Bearer <access_token_returned_by_firebase>' \
--header 'Content-Type: text/plain' \
--data-binary '@'

I get the following response:

{
    "title": "Unsupported Authentication",
    "detail": "Authenticating with OAuth 2.0 Application-Only is forbidden for this endpoint.  Supported authentication types are [OAuth 1.0a User Context, OAuth 2.0 User Context].",
    "type": "https://api.twitter.com/2/problems/unsupported-authentication",
    "status": 403
}

What am I missing here?

gauloics · 2022-04-07T21:07:06.085Z

SebDugudae:

Bearer

Hi welcome to the community
I think this should be Basic instead Bearer

SebDugudae · 2022-04-07T21:29:18.737Z

Hmmm, I think Basic is used for username:password authentication. Usually like <base64_username>:<base64_password>. Access to API v2 via OAuth2 is done via an Authorization: Bearer <token>

gauloics · 2022-04-07T21:36:36.948Z

Reference https://developer.twitter.com/en/docs/authentication/oauth-2-0/user-access-token

You can see an example at the end of the document

SebDugudae · 2022-04-07T21:56:24.451Z

Making a request on behalf of a user seems to be done via the Authorization: Bearer header. Authorization: Basic seems to be used for generating the access_token from an authorization_token, or for refreshing/revoking your access_token

image921×383 55.3 KB

gauloics · 2022-04-07T22:00:02.139Z

Oh yeah, my bad, misread
How about for another endpoint? Did it work?

SebDugudae · 2022-04-07T22:31:52.620Z

In the meanwhile, I’ve realised that the Firebase TwitterAuthProvider only supports OAuth1. Therefore, I am only getting back from Firebase user context access token+secret, which can be used with the Twitter API v1.

I’ve gone ahead and changed to next-auth (their Twitter provider handles OAuth2). This time I do get back an OAuth2 access_token. However, when I issue a request I’m now getting:

{
    "title": "Forbidden",
    "type": "about:blank",
    "status": 403,
    "detail": "Forbidden"
}

Note that it’s not complaining about my Authentication type. My Twitter app requires both Read & Write, so it should be able to delete tweets. Any idea why this might be?

gauloics · 2022-04-09T12:41:46.997Z

SebDugudae:

{
    "title": "Forbidden",
    "type": "about:blank",
    "status": 403,
    "detail": "Forbidden"
}

yes, an error like this does not provide accurate information about the problem that occurs, it seems that it has been discussed in another topic.