OAuth callback ignored


#1

Since yesterday there has been issues with the 3 legged signin - OAuth1.

The oauth_callback parameter is being ignored/removed during the auth flow as though it was never applied. See picture: https://pbs.twimg.com/media/B_dfWrKUYAE58WQ.png:large

Recreate the above via link


#2

oauth_callback is not a supported parameter for GET oauth/authenticate or GET oauth/authorize. It’s part of the POST oauth/request_token method and you also need to make sure that Allow this application to be used to Sign in with Twitter? is enabled in your apps settings.


#3

Hi Abraham I have enabled Sign-In with Twitter for my app http://adodson.com/hello.js/demos/twitter.html Previous usage showed this checkbox did not affect the ability to login to thirdparty apps, unlike the feature suggests, but rather provide auto-logging, i.e. not have to re-grant the app on each login.

The oauth_callback is applied when calling oauth/request_token as per OAuth 1.0a. In addition to this it applies the same oauth_callbackto the 2nd leg when calling oauth/authenticate and oauth/authorize as per OAuth 1 spec, 6.2.1

oauth_callback: The Consumer MAY specify a URL the Service Provider will use to redirect the User back to the Consumer when Obtaining User Authorization is complete.

As i say, its no longer honouring the oauth_callback, which contains important state information for the app.


#4

You can see in your image that you are initially sending users to oauth/authenticate which is the Sign in with Twitter endpoint. Hence why I mentioned it.

The OAuth spec you link to is OAuth 1, support for oauth_callback on oauth/authorize was removed from the 2nd leg from OAuth 1.0a for security reasons.


#5

Thanks Abraham, for pointing both those out, i made a mistake there.

I’ve been able to get the OAuth working by double encoding the oauth_callback value. This wasn’t required before and still isn’t required for oauth_callback values which do not contain URL strings amongst their URI parameters.

Unfortunately this now breaks my OAuth function on other providers, so i’m a bit stuck here as the my library/service does not contain logic about individual providers.

I’m hoping there is another solution to this…