Twitter Oauth 2.0 making requests on behalf of other users

Asked 26/5, 2022 at 10:2 Answered 25/12, 2023 at 7:7

I am trying to use the PKCE flow for the user authentication.

After successful redirection by using the following pattern:

https://twitter.com/i/oauth2/authorize?response_type=code&client_id=M1M5R3BMVy13QmpScXkzTUt5OE46MTpjaQ&redirect_uri=https://www.example.com&scope=tweet.read%20users.read%20follows.read%20offline.access&state=state&code_challenge=challenge&code_challenge_method=plain

I got the code, but then when I try to get the access token the following request fails:

curl --location --request POST 'https://api.twitter.com/2/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <base 64 encode>' \
--data-urlencode 'code=<code received>' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=<my_redirect>' \
--data-urlencode 'code_verifier=challenge' \
--data-urlencode 'client_id=<my_client_id>'

Error message is {"error":"unauthorized_client","error_description":"Missing valid authorization header"}

I tried to use all of the methods described here for the Basic header, but none of them were successful:

https://twittercommunity.com/t/how-to-generate-a-bear-token-for-api-2-authentication/171837

Thanks!

Lebna answered 26/5, 2022 at 10:2 Comment(1)

Same issue, did you figure it out? – Knotweed 3/6, 2022 at 23:36

In you App > User authentication settings > Click on edit for OAuth 1.0a and OAuth 2.0 > Turn on both OAuth 1.0a and OAuth 2.0 and Change Type of App to "Single Page App" which should be Public client.

Correspondence answered 7/6, 2022 at 16:28 Comment(3)

Is this still up to date? I can't find any of these things on User authentication settings page. – Rameriz 20/12, 2022 at 9:29

If you are using the new OAuth 2.0 flow, looks like if you choose "confidential client" in the "user authentication setup" of the client it breaks sometimes even if you provide a correct Authentication Basic header. My workaround was to change it to "public client" and include the client_id in the body, it should be safe since you are mostly using Auth Code Flow w/ PKCE. – Pituitary 8/2, 2023 at 0:24

Hello @Haris jamal, i have turned this on public client but I have this error : Error fetching OAuth credentials: "Value passed for the authorization code was invalid.". – Kailakaile 15/1 at 9:42

I had this exact issue and spent hours trying to diagnose it. I ended up deleting the app I created in the Twitter Developer Platform, and creating a new app, generating the CLIENT_ID and CLIENT_SECRET in the exact same way and it now works.

Possibly a bug on Twitters side?

Allophone answered 27/4, 2023 at 7:14 Comment(1)

Same happend with me. Thanks for sharing. – Pavonine 21/8, 2023 at 15:3

To create the basic authorization header you will need to base64 encoding on your Client ID and Client Secret which can be obtained from your App’s “Keys and Tokens” page inside of the developer portal. You can generate the Authorization here: Base64 Encode. use: {ClientID}:{ClientSecret} not apiid and apisecret.

If you choose to use confidential client, you don't need a client_id in your request body, if you do so, that would trigger a bug in twitter which returns an error code.

Beeswing answered 25/12, 2023 at 7:7 Comment(0)

Recommended topics

Hot tags