[Solved] OAuth::Unauthorized (403 Forbidden)


Hi there,

Edit:// I could get it working by using twitter_oauth instead of oauth itself. Still no idea why, but it helped.

I know there are other threads with similiar problems, but except “check your callback url” and “check your clock” nothing helpful was found. Except that one guy who statet that Twitter is currently having issues, about 2 years ago.

Anyway, i have API key & Secret and want a token. Nothing special, Nothing i havent done like 5 times yesterday, nothing that ever didnt work after at max. 0.5 hours.

My current code is the following:

In request:

	oauth = OAuth::Consumer.new(Rails.application.config.twitter[:client_id], Rails.application.config.twitter[:client_secret],
	                             { :site => "http://api.twitter.com" })
	url = "http://#{Rails.application.config.domain}/auth/callback/twitter/"
	request_token = oauth.get_request_token(:oauth_callback => url)
	session[:token] = request_token.token
	session[:secret] = request_token.secret
	redirect_to request_token.authorize_url

It fails at oauth.get_request_token with nothing other than:

OAuth::Unauthorized (403 Forbidden):
  app/controllers/external_token_controller.rb:76:in `request_twitter'

The URL looks exactly like defined in the Application Management and also exactly like it is supposed to be actually called. Also removing it from the failing query comes to the very same result.

You may noticed this got me really mad, sorry about that. But not explainable errors without solutions or even a small error message seem a little off for me in a public API.

I didnt thought this could take longer than the same part written for Facebook, Github & Instagram together so i am really back on time. Any possibly fast help is really appreciated!

~ Roman


Hi i am facing this issue now. Any updates?


Are you having this issue in the exact same Ruby code posted above?

Have you seen the announcement about callback whitelisting? this may be your issue.


Oh ! I missed this announcement! My bad. Now its working after adding the callback_url in the whitelist. Thanks a lot.