OAuth authorization fails to redirect users back to the application

semifor · 2022-03-26T00:40:23.246Z

I periodically hear from users of my application that they cannot sign in with Twitter. In the most recent case, the user captured screenshots and shared some details about what they are seeing.

They’ve been unable to sign on even after clearing their browser cache and trying from an incognito window.

After entering their Twitter handle and password and clicking the Sign In button, they get a page that says “That page has expired or dose not exist. Please try logging in again.”

I had them copy/paste the URL from the browser address bar at that point. I’ve modified it a bit here to protect their ID.

https://twitter.com/account/login_verification?platform=web&user_id=<elided>&challenge_type=Totp&challenge_id=<elided>%252&redirect_after_login_verification=https%3A%2F%2Fapi.twitter.com%2Foauth%2Fauthenticate%3Foauth_token%<elided>

For this user, it occurs repeatedly. Other users over the past several months have reported the same issue. I’ve suggested they try an incognito/private window and clear their browser cache if that works. I haven’t heard back from them, so assume that worked though I can’t verify that.

I previously reported this same issue in the Business Developers forum. I’m posting this new occurrence here for better visibility.

Is this a known issue? What information can I provide to help diagnose this so it can be resolved?

-Marc

jessicagarson · 2022-03-29T19:22:12.768Z

Thanks, @semifor. I’m asking a few coworkers about this issue, and I’ll get back to you shortly.

jessicagarson · 2022-03-29T21:19:45.439Z

I talked to a few coworkers and learned this is a known issue. This happens on the Oauth 1.0a flow when the user is asked to verify recent logins (e.g., if we see suspicious activity and we ask users to verify). This is an issue because people cannot go back to the app. But instead, they go back to Twitter. I surfaced this with the relevant team, and I’ll let you know when I hear further.

jessicagarson · 2022-03-29T21:51:01.416Z

I just talked to our account security team and got some further clarity here. We might have missed some redirect logic handling since account/login_verification is deprecated. The team is working on a fix that should be deployed shortly.

semifor · 2022-03-30T15:01:24.879Z

Thanks, @jessicagarson! Fantastic news. This will make customers happy.

jessicagarson · 2022-03-30T15:24:16.310Z

I may have spoken a bit too soon here. I just sent you a DM to discuss this a bit further. Sorry for any confusion.

semifor · 2022-04-04T16:45:37.748Z

Any further news on this @jessicagarson? Is there anything I can do from my end to help?

Connexinet · 2022-04-04T20:44:32.152Z

Hey Marc,
Would the problem go away if the user logs into twitter.com first, then authenticate against your app?
If so, we have had plenty of these reports as well.
Thanks
Samir

jessicagarson · 2022-04-04T22:54:07.969Z

Thanks, @semifor. I’m going to send you a DM on this one.

semifor · 2022-04-06T16:56:19.387Z

Hi Samir. Next time a customer encounters this, I’ll ensure we verify they are signed in, first. Thanks!

system · 2022-04-20T16:56:40.150Z

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.