Receiving OAuth::Unauthorized 401 Authorization Required

[DavidRagone]

I've set up a very simple rails app and am unable to get the request to twitter to succeed. It's unclear what the cause is. The key and secret are being ready properly from the environment variables. Twitter no longer allows setting of localhost nor 127.0.0.1 in their callback url. Instead, they state:

Where should we return after successfully authenticating? OAuth 1.0a applications should explicitly specify their oauth_callback URL on the request token step, regardless of the value given here. To restrict your application from using callbacks, leave this field blank.

However, I have not been able to figure out where I am supposed to be passing this information when generating the request.

Here is the code I have written in the initializer. Help would be appreciated.

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer unless Rails.env.production?
  provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
end

[DavidRagone]

I was able to solve my problem by setting the twitter callback url on the twitter web interface to http://0.0.0.0:3000/auth/twitter/callback. However, this is not an acceptable solution. Per twitter's documentation quoted in my OP above, I need to be able to pass the callback url in each request.

[BrianSigafoos]

Similar problem here @DavidRagone Solved it by making a dedicated Dev application in Twitter that has a callback to our local environment. And a separate Twitter app for production that points to our actual site in the callback.

[raysrashmi]

@DavidRagone Are you still facing this issue?

[gkassee]

@raysrashmi I'm not David, but I am currently facing this issue. Any help would be appreciated!

[raysrashmi]

@gkassee Sorry for late reply. I will look in to this

[gkassee]

@raysrashmi Actually I managed to fix the issue, but I'm not entirely sure what I did to correct the problem.

[raysrashmi]

Thats Cool so I can close the issue. Feel free to re open it if you face it again

[ajsharp]

I'm having this issue as well. The callback_url parameter is a required param according to the Twitter docs: https://dev.twitter.com/oauth/reference/post/oauth/request_token. I think this library should populate a sensible default for the callback url like /auth/twitter/callback, but allow this to be over-ridden in configuration options.

[raysrashmi]

@ajsharp Thanks for reporting the issue . I will look in to this.

[ajsharp]

Sure. At the very least, a more instructive error message would probably be a big improvement. Something like: ArgumentError: You forgot to specify the 'callback_url' parameter.

[dimanyc]

Another reason for receiving the 401 can be the enabled "Callback Locking" option in Twitter Application Management panel.

[abhi1995]

16/09/22 10:47:33 INFO twitter4j.TwitterStreamImpl: Establishing connection. 16/09/22 10:47:36 INFO twitter4j.TwitterStreamImpl: 401:Authentication credentials (https://dev.twitter.com/pages/auth) were missing or incorrect. Ensure that you have set valid consumer key/secret, access token/secret, and the system clock is in sync.

\n\n\n

HTTP ERROR: 401

Problem accessing '/1.1/statuses/sample.json?stall_warnings=true'. Reason:

    Unauthorized

16/09/22 10:47:36 ERROR twitter.TwitterSource: Exception while streaming tweets 401:Authentication credentials (https://dev.twitter.com/pages/auth) were missing or incorrect. Ensure that you have set valid consumer key/secret, access token/secret, and the system clock is in sync.

\n\n\n

HTTP ERROR: 401

Problem accessing '/1.1/statuses/sample.json?stall_warnings=true'. Reason:

    Unauthorized

please solve my problem i am getting this problm from three days

[NaumenkoSergiy]

@raysrashmi I had problem that after change password on Twitter account - I get old access token. How can I update access token?

[raysrashmi]

@NaumenkoSergiy You can regenerate it "Key and Access Tokens" in https://apps.twitter.com

[eonu]

@dimanyc Thanks, that worked for me! Kept messing around with secrets.yml and generating new API keys and all sorts of stuff.

[chriso0710]

I am facing a problem, which might be related to this issue, so I am commenting here.

Apparently Twitter changed the API and now forces callback whitelisting: https://twittercommunity.com/t/action-required-sign-in-with-twitter-users-must-whitelist-callback-urls/105342 "The callback_url parameter provided must match one of the whitelisted callback URLs."

My twitter app does have the callback url set. My app still uses omniauth-twitter version 1.2.1. The app now raises OAuth::Unauthorized 403. Error occurs since June 12.

Any idea how to solve this? Do I have to update omniauth-twitter and explicitly set a callback_url?

Thanks Christian

[leejarvis]

@chriso0710 Adding /callback to the URL worked for me (this is the path the omniauth gem uses). Credit: https://twitter.com/paulmwatson/status/1006862480453271552

[chriso0710]

Thanks @leejarvis and @paulmwatson but still not working for me. I already had both

http://<myapp>/auth/twitter 
http://<myapp>/auth/twitter/callback 

set in the twitter developer app dashboard. Checking or unchecking "enable callback locking" makes no difference.

[leejarvis]

@chriso0710 That's a shame. FWIW http also didn't work for me because my website is served over https, so I added them both and it worked.. 🤷‍♂️

[chriso0710]

Neither working with http nor https URLs here. Still getting a 403 from twitter. Might be my version of omniauth-twitter then. Will check out the gem update next ...

Thanks @leejarvis, I will update this issue with my results.

[chriso0710]

Got it working with simple https callback URLs in my production environment, using a real domain name. Did not do a gem update yet.

In my development environment (with puma-dev, SSL and using .test domains) it does not work though.

Example app: https://myapp.test

Callback URL: https://myapp.test/auth/twitter/callback

[paulmwatson]

Do you not need a model name in that @chriso0710? https://myapp.test/users/auth/twitter/callback

[paulmwatson]

Also after beating my head against this all morning I added the Httplog gem in dev and it showed me the exact oauth_callback body value being sent to Twitter. Twitter would validate that oauth_callback value against the whitelist in app.twitter.com settings before it did almost anything else. If it didn't match e.g. http://example.com/users/auth/twitter <=> http://example.com/users/auth/twitter/callback in my case then it would 403.

In dev (Pow) I use .devtest and not .dev or .test anymore.

[richhollis]

I've been beating my head too and even though all my callback URLs are all defined in the app settings I'm still getting 403s - nothing seems to make any difference.

[chriso0710]

Related to #128

That's what my debug log gives me. The oauth callback url is exactly the same as the one set in the apps twitter dashboard. Did do a gem update, no improvements.

20:54:11 log.1       | twitterwall[43690]: [httplog] Sending: POST http://api.twitter.com:443/oauth/request_token
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: accept-encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: accept: */*
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: user-agent: OAuth gem v0.5.4
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: content-length: 0
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: content-type: application/x-www-form-urlencoded
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: authorization: OAuth oauth_callback="https%3A%2F%2Fsos.test%2Fauth%2Ftwitter%2Fcallback", oauth_consumer_key="...", oauth_nonce="...", oauth_signature="...", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1528916051", oauth_version="1.0"
20:54:11 log.1       | twitterwall[43690]: [httplog] Header: connection: close
20:54:11 log.1       | twitterwall[43690]: [httplog] Data: 
20:54:12 log.1       | twitterwall[43690]: [httplog] Status: 403

Do you not need a model name in that? https://myapp.test/users/auth/twitter/callback

No, I use it without a model name (Sinatra app) and it has been working for years until 2 days ago...

[kunalchaudhari]

able to resolve this. on app settings on twitter set call back url. in my case it was set to below. Just this one change

https://echai.in/users/auth/twitter/callback

[truongnmt]

So I finally resolved by adding

http://localhost:3000/auth/twitter/callback

Ref: https://stackoverflow.com/a/50857912/3280050

Notice localhost and callback

[ghost]

Still getting 403 Forbidden even with the callbacks set.

[paulmwatson]

@tchret have you tried adding /callback to the end of those URLs? http://localhost:3000/users/auth/twitter/callback

That was the problem for me.

[chriso0710]

Still having no luck here. Even after adding a "localhost" callback I am getting a 403 back from twitter. Running out of ideas now...

[chriso0710]

Well, it is working now. And no need to put localhost into the callbacks.

Had a really embarrassing bug in my twitter consumer key/secret handling, which surfaced only after twitter made these changes and started verifying the callback urls.

Thanks, guys, for making me think outside the "cackback url" box! :-)

[pierrenoizat]

In development mode, if localvars is your local config file containing your app credentials as environment variables, make sure to run $ source ~/.localvars before $ rails s to reload your correct environment variables (Consumer API key and Consumer API secret key).

[LloydVincent]

So I finally resolved by adding

http://localhost:3000/auth/twitter/callback

Ref: https://stackoverflow.com/a/50857912/3280050

Notice localhost and callback

This is it? After 2 days of f'ing around with http call methods, adding and tweaking various headers, playing with spaces and commas, re-reading Twitter's oauth docs, quintuple-checking my signing hash logic, rearranging oauth parameters randomly, regenerating keys to the point where I thought Twitter would flag me for spam, repeatedly googling "401 authorization required" and "32 could not authenticate" (links are all purple until page 5)... this is the answer?

This voodoo of adding an unneeded localhost callback (I had a real one from the start) finally makes my request_token call work. And my code still works after removing the unneeded localhost callback. THANK YOU GOOD SIR!

And may whoever is responsible for this at Twitter be forced to drink nothing but concentrated bitter-melon juice for an entire week.

[akkt222]

Stuck into this error for a couple of days... If you are currently facing the error, I strongly suggest you confirm-

1. Your Environment variable configuration
2. The system clock of your OS
3. Callback URLs. At least two required. Some sources say you need to add http://127.0.0.1:3000/auth/twitter/callback instead of http://localhost:3000/auth/twitter/callback I added both and it worked.

It's so frustrating. Good luck with you.