OAuth Authorize dialog doesn't show any error message when a wrong username or password is entered

oauth

#1

If you enter an incorrect username or password in to the OAuth authorisation dialog and hit “Authorise App” then the dialog simply reloads with no visible message or other feedback to the user.

This can be confusing and appear broken to the user.

While it is a security best practice to not disclose which field was specifically incorrect or help prevent brute forcing, it would be nice if a generic “You entered an incorrect username or password” message could be shown.


#2

I get an error when I try it. What URL are you ending up on when After an incorrect login? Are yoh running any browser extensions that could be messing things up?


#3

Hi abraham, thanks for the reply.

I was ending up back on the same URL as the dialog started on: ‘https://api.twitter.com/oauth/authorize?oauth_token=…’.

I have just re-tested and I’m now ending up on a “Log in to Twitter” page with an error popup at the top saying “The username and password that you entered did not match our records. Please double-check and try again.”.

Which is much better!

I have an ad-blocker in one browser, but I could reproduce the problem in multiple browsers, on multiple machines, from two different internet connections, so I had ruled out any client side issues.

It seems Twitter have fixed the issue which I’m very grateful for! It’s now a much nicer experience for our users.

EDIT:

Apparently I spoke too soon.

I just tried again and now it’s doing the same as it originally was, which is simply dumping me back on the “Authorise XXX to use your account?” page.

So that’s odd, because it was working only a few minutes ago.

I’m currently using Fiddler to check out the requests and responses to figure out what the difference is.


#4

I’ve done some more investigation and I think I’ve gotten to the bottom of whats happening.

The user clicks a “Login” button and the pop-up appears with the URL:
https://api.twitter.com/oauth/authorize?oauth_token=XXX&force_login=true

  • “force_login” is true to make sure our users log-in with the right Twitter account (we mainly have professional users with multiple Twitter accounts).
  • I’m using the “authorize” method rather than the “authenticate” method to make sure the user is asked to approve our application even if they’ve approved it before so it’s clear what they’re agreeing to.

When I try to login with bad credentials it goes to the URL:
GET /login/error ?username_or_email=XXX &redirect_after_login=https%3A%2F%2Fapi.twitter.com%2Foauth%2Fauthorize%3Foauth_token%3XXX

I’ve found the circumstances under which I do/don’t get the error message:

  • I do get the error message if I’m not currently logged in with Twitter.
  • I don’t get the error message if I am currently logged in with Twitter.

That combined with the login URL above suggests that:

  • I enter bad credentials and get sent to the login method.
  • The login method has a redirect URL of the authorize page I just came from.
  • I’m already logged in with Twitter, so rather than showing me the error and asking me to login, it redirects me straight away back to the authorize page.