OAuth callback URL lockdown



I somehow missed the OAuth callback URL lockdown announcement. Saw it in a retweet. Had a moment of panic due to the short timeframe: June 8th.

So, attempted to register Followerwonk’s callback URLs. I need to register 18. It only accepts 10.

Why so many? Two domains—site migration coming up soon and we’ll run in parallel for a bit: moz.com/followerwonk and followerwonk.com. Three environments: dev, staging, production. Three callbacks: sign-up with Twitter, login with Twitter, connect a Twitter account. 2 x 3 x 3 = 18.

I haven’t checked the docs or experimented with it, yet, but I wonder if it accepts extra parameters and passes them back.

Accepting a prefix that includes a fully qualified domain would help. Wildcarding subdomains would also help.

If nothing else, I’ll have to cache the internal callback action with the request token and redirect accordingly. But that some implementation work I hadn’t planned and I’m already on a really tight schedule for the site move.

I could use a little help here, Twitter. :wink:


I would recommend you use a separate app for dev, staging, and production. Especially since your production secrets should not be available to developers in a development environment.


That’s the advice from our product team also; however this is a new change so we are listening to feedback from a multitude of developers and we appreciate questions like this from Marc!



we have the same questions here, since our twitter app offer the possibility is used by our customers to answer to other twitter users DM or to fetch tweet that refers to our customers ( through mentions or hastags ).

Since we have an url by customer ( ex: https://.domain.com/<version, ex : 8.2>//file.ext?param1=1&param2=2 ), whitelisting all these urls will be a tedious work …
Is there any extra callback params that could be forwarded in order to identify our customers and do the match or is there any possibility to allow wildcards ?
Do you have any advice or any good pratices to achieve this ?

Thank in advance for your answer !