When a user shares a link to our application, we expect often people will use official clients to click on that link. Our OAuth problem is that we can not complete an authentication flow in the Twitter iOS client but we can in any other web browser.
When a user clicks on this link in the Twitter client, that application opens a web browser window within the app (as opposed to Safari), and the user will be sent to our site in that browser.
It is unlikely that many users will be authenticated into our site, and we require Facebook or Twitter login, so we prompt for a login. Obviously the user is most likely in this scenario to hit “Twitter”, and may be prompted to sign into Twitter if that browser has not previously been logged into Twitter itself (to be clear, this is Twitter’s authentication page rendered by api.twitter.com before prompting for authorisation, appearing in a web browser inside the iOS Twitter client).
On accepting a valid username/password, the api constantly returns the missing request token message as below:
At this point we obviously thought “we’ve made an error” and started to check our back-end code. The URLs are being created with the twitter_oauth Ruby gem, our app is running on Heroku, and so we were confident it wasn’t clock drift or implementation error on our part.
Even weirder, this flow works 100% of the time in any other browser. Safari on iOS, Safari on desktop, Chrome on desktop, you name it.
The only time we have seen it fail in development/testing is in the Twitter iOS client browser. That suggests the URLs are fine, and that we’re doing all the right things (we use SSL, etc.)
Our application which we render in the browser is an AngularJS SPA which uses some custom authorisation headers and will exploit browser local storage if available - the only thing we can think of at the moment is we’re causing a conflict somewhere.
Thanks in advance for any help.