OAuth still returns 403 (error 415) even when callback urls are set


#1

Hi there everyone

Became aware of the changes of oauth around the 12th due to production errors. Have since added all callback URLs to the app settings console but still unable to “Sign in with Twitter” and get 403:

<?xml version="1.0" encoding="UTF-8"?>Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings

I’ve checked, checked again, checked once more and tried different things but I just cannot get it to work. Any pointers much appreciated.

Many thanks!


#2

Hi there again

Unfortunately, we still have this problem.

The Twitter API just doesn’t accept our whitelisted call back URLs - in dev or production.

Is there a possibility there is an issue on the Twitter API side here? I’ve debugged the oAuth connection locally to verify the callback url is correct and whitelisted in app settings, the base path, the calling path, but I continue to receive 403 errors.

Appreciate any help with this issue.

Thanks


#3

What’s the specific URL path in your application that is listening for the OAuth callback for Twitter?

You need to add your fully-qualified domain, plus that path, minus any parameters, into the Callback URL panel on apps.twitter.com (feel free to share a screencap if you like).

So let’s say I have a webapp running on my server myserver.co.uk, and it has a callable path for receiving user account tokens from Twitter at /twitter/auth - we want to configure Twitter to call us back there on successful completion of authentication.

So the callback url would be https://myserver.co.uk/twitter/auth. We also need to make sure that in our code, when we call oauth/request_token, we provide that exact same value in the callback_url parameter.


#4

Hi there @andypiper

Our callback URL is /auth/twitter/callback.

This is defined in the apps panel as:

https://warble.co/auth/twitter/callback
https://warble.co/auth/twitter

Our users still can’t sign in and I don’t really know what else I can try to get this working again.

Is there a possibility here that something is wrong on the twitter side for our app? In the absence of a more detailed error or diagnostics from Twitter for the failure, how can we try and resolve this? Can we raise a ticket with Twitter dev support for more insight as to why our whitelisted URLs are not being accepted?

Many thanks for you help.


#5

Before we escalate, I want to verify a couple of things:

  1. You have both https://warble.co/auth/twitter/callback and https://warble.co/auth/twitter set up in your apps dashboard.
  2. You are using one or both of the above URLs with the POST oauth/request_token endpoint.

#6

Thanks for coming back. Sure.

  1. Yes - confirmed

  2. Yes - you can see the endpoint called in the logging below

I have created a bare bones test app but with our Twitter keys and I still encountered the same problem in development.

I added httplog gem to see some basic tracing in the rails app. I then set the client_options.site parameter available in omniauth-twitter to point the oauth calls to a simple python server, to trace out the initial POST request headers.

Here are the results (sensitive keys removed):

I, [2018-06-24T12:51:54.196417 #13208]  INFO -- omniauth: (twitter) Request phase initiated.
D, [2018-06-24T12:51:54.198424 #13208] DEBUG -- : [httplog] Connecting: api.twitter.com:443
D, [2018-06-24T12:51:54.243109 #13208] DEBUG -- : [httplog] Sending: POST http://api.twitter.com:443/oauth/request_token
D, [2018-06-24T12:51:54.243258 #13208] DEBUG -- : [httplog] Data: 
D, [2018-06-24T12:51:54.376164 #13208] DEBUG -- : [httplog] Status: 403
D, [2018-06-24T12:51:54.376230 #13208] DEBUG -- : [httplog] Benchmark: 0.132842 seconds
D, [2018-06-24T12:51:54.376288 #13208] DEBUG -- : [httplog] Response:
<?xml version="1.0" encoding="UTF-8"?><errors><error code="415">Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings</error></errors>
incomming http:  /oauth/request_token
127.0.0.1 - - [24/Jun/2018 12:40:16] "POST /oauth/request_token HTTP/1.1" 200 -
ERROR:root:Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: OAuth gem v0.5.4
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fauth%2Ftwitter%2Fcallback", oauth_consumer_key="keykeykeykeykeykey", oauth_nonce="qWUl5mImPZ0vqH4AGjkwt7rU2aX8YpZ8y0TUBLLYn8", oauth_signature="sigsigsigsigsigsig, oauth_signature_method="HMAC-SHA1", oauth_timestamp="1529840416", oauth_version="1.0"
Connection: close
Host: api.twitter.com:8000

So I can see/confirm that my callback url is:
http://localhost:3000/users/auth/twitter/callback

Of course, I’ve added the following urls to app settings:

http://localhost:3000/
http://localhost:3000/users/auth/twitter/callback
http://localhost:3000/users/auth/twitter

And still the 403 forbidden error - the same problem we have on our production site.

Many thanks


#7

Hello there, did you try to generate again the Twitter app keys? We had the same issue fixed reissuing the keys.

Davide


#8

You can not set up your callback URL as Localhost. You can read more about this in this existing topic: