403 Forbidden on /users/auth/twitter

[ghost]

devise.rb

  config.omniauth :twitter, ENV['TWITTER_API_KEY'], ENV['TWITTER_API_SECRET']

user.rb

  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable,
         :omniauthable, :omniauth_providers => [:twitter]

Still getting a 403 on users/auth/twitter, using omniauth-twitter with Devise. I've set up the callback_url on the Twitter apps dashboard, no change

[richhollis]

Same here.

I just created a new Rails 5 project 5 (2.5.0 ruby) using Devise and omniauth-twitter and I am still getting 403 Forbidden in the request phase.

I added httplog gem to see some basic tracing in the rails app. I then set the client_options.site parameter available in omniauth-twitter to point the oauth calls to a simple python server, to trace out the initial POST request headers.

Here are the results:

I, [2018-06-24T12:51:54.196417 #13208]  INFO -- omniauth: (twitter) Request phase initiated.
D, [2018-06-24T12:51:54.198424 #13208] DEBUG -- : [httplog] Connecting: api.twitter.com:443
D, [2018-06-24T12:51:54.243109 #13208] DEBUG -- : [httplog] Sending: POST http://api.twitter.com:443/oauth/request_token
D, [2018-06-24T12:51:54.243258 #13208] DEBUG -- : [httplog] Data: 
D, [2018-06-24T12:51:54.376164 #13208] DEBUG -- : [httplog] Status: 403
D, [2018-06-24T12:51:54.376230 #13208] DEBUG -- : [httplog] Benchmark: 0.132842 seconds
D, [2018-06-24T12:51:54.376288 #13208] DEBUG -- : [httplog] Response:
<?xml version="1.0" encoding="UTF-8"?><errors><error code="415">Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings</error></errors>

incomming http:  /oauth/request_token
127.0.0.1 - - [24/Jun/2018 12:40:16] "POST /oauth/request_token HTTP/1.1" 200 -
ERROR:root:Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: OAuth gem v0.5.4
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fauth%2Ftwitter%2Fcallback", oauth_consumer_key="keykeykeykeykeykey", oauth_nonce="qWUl5mImPZ0vqH4AGjkwt7rU2aX8YpZ8y0TUBLLYn8", oauth_signature="sigsigsigsigsigsig, oauth_signature_method="HMAC-SHA1", oauth_timestamp="1529840416", oauth_version="1.0"
Connection: close
Host: api.twitter.com:8000

So I can see/confirm that my callback url is: http://localhost:3000/users/auth/twitter/callback

Of course, I've added the following urls to app settings:

http://localhost:3000/ http://localhost:3000/users/auth/twitter/callback http://localhost:3000/users/auth/twitter

And still the 403 forbidden error - the same problem we have on our production site.

It seems the Twitter side just won't accept the request even with the URLs defined. It doesn't seem like an issue with omniauth-twitter.

I've posted again to the twitter developers forum in the hope that somebody can take a look.

[geordanr]

It looks like it has to do with this: https://twittercommunity.com/t/action-required-sign-in-with-twitter-users-must-whitelist-callback-urls/105342

In Twitter app settings, I had to add both https://mysite.example.com/auth/twitter and https://mysite.example.com/auth/twitter/callback to get authentication to work.

[0x263b]

Had the same issue, adding the callback URLs as mentioned geordanr fixed it on development, but not on production.

Someone told me to add these lines to my nginx location config which did the trick.

proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;

[jwg2s]

@0x263b we're still seeing this issue in production mode. However, we're running in heroku. Trying to determine if we're suffering from your issue or if it's something like Twitter has a delay after adding the callback before it starts allowing it

[wflanagan]

Same here @jwg2s I have this same problem as well. I added my original auth URL as well as my callback URL and so far no joy.

[wflanagan]

@jwg2s What we found is that it was working this morning.. we edited the callback URLs to add a new one, and then nothing worked anymore.. Been about 3 hours of far.

[wflanagan]

To add to this, trying all our keys, result in exactly the same problem. No love. Hard to pinpoint if it's an OmniAuth problem or a Twitter problem.. but, either way, OAuth with Twitter 100% doesn't work right now for us.

This also includes regenerating keys (to see if they had expired the keys but this wasn't shown in the UI). That didn't change anything either.

[jwg2s]

Ours did eventually start working yesterday @wflanagan. We added the following callbacks:

https://www.your-site.com/auth/twitter
https://www.your-site.com/auth/twitter/callback
https://www.your-site.com/users/auth/twitter/callback
https://www.your-site.com/users/auth/twitter

Definitely worth checking your URLs for typos, trailing slashes, etc

Ultimately, I think it's safe to close this ticket as it's not a problem with the gem, but rather rules that Twitter changed on their end. Maybe add to the Readme and close?

[wflanagan]

Ugh. Ok.. i'll try that.

[wflanagan]

So, that doesn't seem to be my problem, unless there's something being added to the callback URLs.

[richhollis]

Following up on my issue: Our problem was caused by using the wrong consumer/secret key being used. We had been using our Twitter account's consumer/secret and not our app consumer/secret. Historically, this actually worked and allowed us to authenticate with OAuth, which is why it probably never got picked up or noticed until the recent whitelisting changes at Twitter, which then stopped our app from working - with us initially thinking it was a callback/whitelisting issue! Many hours later of searching for a callback/whitelisting problem it was actually just the wrong keys.

I ended up monkey patching the OAuth gem to see what the requests and headers were.

So from my side there is no issue with this gem it was our config that was wrong. I agree with @jwg2s that we can probably close this issue.

[posixpascal]

@richhollis you are the real deal man. I also had our twitter application key and secret used in our omniauth config. Thanks for saving me hours :).

[richhollis]

@posixpascal glad to hear it saved you the hours that I lost :)

One thing I've subsequently found: any long-lived access tokens you have issued against the old keys will still need to be paired with the original keys that they were issued against, when using the Twitter API, otherwise you'll get an Unauthorized error.

So depending on if the user has since logged in with the newer app key, I will use the newer app key or the previous account app keys with their long-lived access token.

[tomholford]

Landed here from Google, figured I'd share what ended up working for me in case it helps someone else. In my case, I had the callback URLs set to use SSL (https), but had not enabled config.force_ssl in production.rb. Once I changed this to true, it worked beautifully :)

[jailalawat]

Use the Consumer Keys instead of OAuth 2.0 Client ID and Client Secret And Boom its working.