Twitter OAuth not returning oauth_verifier


#1

I am developing an open source Wordpress plugin that allows users to create a Wordpress account by simply using their Twitter account (uses tmhOAuth library). Here’s the code for the plugin: https://github.com/luckyshot/wp-twitter-login/blob/master/twitterlogin.php

Usually it would run function login (line 110) and redirect the user to Twitter. The user would authorize and come back to the website in a URL like:

http://mywebsite.com/?oauth_verifier=

The plugin would detect the Twitter reply through this (line 71):

}else if(isset($_REQUEST[‘oauth_verifier’])) {

Problem is that for some users it just redirects them to:

http://mywebsite.com/

And there is no GET or POST or any other parameter returned by Twitter.

This problem just happens with some users, I’ve updated tmOAuth library to its latest version, tried it in several Wordpress installations, cleared cookies, cache and session from both domains, etc.

Is there anything I am doing wrong? Should I detect the callback from Twitter another way? Or is there something wrong with Twitter or OAuth?


#2

Can you verify that you’re using the correct paths and explicitly sending an oauth_callback value on the request_token step? (It’s required…) You should be using paths that look like:

https://api.twitter.com/oauth/request_token
https://api.twitter.com/oauth/authorize
https://api.twitter.com/oauth/access_token


#3

Hi Taylor,

Thank you for your reply. These are the URLs/steps that reproduce the error:

  1. Mywebsite generates and redirects the user to login URL: https://api.twitter.com/oauth/authorize?oauth_token={tokenhere}
    User authenticates the app and clicks Authorize
    Twitter redirects to: https://api.twitter.com/oauth/authorize (Request payload: authenticity_token={tokenhere}&oauth_token={tokenhere} )
    Then redirects to http://mywebsite.com/ (the one specified in the callback at https://dev.twitter.com/apps/{myappid}/settings )

Let me know if you need more details, I can upload screenshots with full details on network requests/replies, provide you with Twitter usernames, the App ID, etc.

Twitter redirects back to the callback URL without the oauth_verifier for some accounts.


#4

…and to generate the login URL tmhOAuth library sends a request to oauth/request_token with parameter:
oauth_callback = ‘http://mywebsite.com/


#5

Are you sure that when you’re not receiving an oauth_verifier that it’s not just a case of the user opting-out of approving the authorization flow and just being sent back to your site? What’s the exact URL that users are being redirected to when you’re missing the oauth_verifier (including any other parameters sent with the request)?


#6

It’s me testing the app authentication with different accounts and I always click Authorize. The URL to which users (me) are redirected is the same specified in the callback: http://venturewars.com/ with no GET or POST parameters. I can post the full header requests/responses as well as the usernames I’m using


#7

Is there any way,by which we can get oauth_verifier for logged in person…please reply its urgent


#8

[SOLVED] The Twitter instructions are not CLEAR! To return oauth_verifier with the callback url, just fill the field Callback URL (“not required”) at https://apps.twitter.com/app/<id_of_app>/settings

[RESOLVIDO] As documentação do Twitter não está clara! Para retornar o oauth_verifier como querystring da url de callback, basta preencher o campo Callback URL (“não obrigatório”) em https://apps.twitter.com/app/<id_of_app>/settings