Omniauth-twitter with Rails 5 stopped working! OAuth::Unauthorized 403 Forbidden

Asked 12/6, 2018 at 22:33 Answered 14/6, 2018 at 19:5

Solved ruby-on-rails devise ruby-on-rails-5 omniauth omniauth-twitter

Everything was working fine and Omniauth has stopped working suddenly. I didn't make any code changes.

I checked Twitter Apps Settings: I have callback url to my main production url, and Callback URL Locked to No. All keys are correct.

Any idea? 🤔

OAuth::Unauthorized

403 Forbidden

Franchot answered 12/6, 2018 at 22:33 Comment(2)

I also tried to regenerate tokens. Still same issue! – Franchot 12/6, 2018 at 23:9

Related? https://mcmap.net/q/537169/-devise-oauth-twitter-oauth-unauthorized-forbidden-403 – Dressingdown 14/6, 2018 at 0:41

I have been able to solve it (also for development) adding this urls:

For production:

https://mydomain/users/auth/twitter/callback
http://mydomain/users/auth/twitter/callback

For development:

http://localhost:3000/users/auth/twitter/callback

Gleam answered 14/6, 2018 at 6:47 Comment(2)

This seems to be the working solution. Works both locally and in production. – Tankersley 14/6, 2018 at 19:9

Wow, thanks @antoniobg87! I was missing the users/ part as opposed to just adding auth/twitter/callback. This worked for me in production. Cheers – Hiles 14/6, 2018 at 22:17

Now on twitter callback URL, you must have to add 2 callback URLs and the callback URL must be the path of your application.

I had faced the same problem, now on adding the 2nd callback URL, it's fixed.

For more information check: https://twittercommunity.com/t/action-required-sign-in-with-twitter-users-must-whitelist-callback-urls/105342

Irs answered 13/6, 2018 at 6:35 Comment(6)

Hey yes, I tried same. Adding a second one as mysitecom/auth/twitter/callback fixed for a 10mins. Now experiencing same problem. What url do you exactly give? Thanks! – Franchot 13/6, 2018 at 7:14

@Franchot what url you added in callback ? – Irs 13/6, 2018 at 13:2

mysitedotcom/ and mysitedotcom/auth/twitter/callback and both with h t t p s – Franchot 13/6, 2018 at 14:8

Someone better fire an issue at Omniauth repo – Punchy 14/6, 2018 at 2:37

@Franchot try callback url: mysitedotcom/users/auth/twitter/callback and mysitedotcom/users/auth/twitter/callback, you must have to add 2 urls – Irs 14/6, 2018 at 4:51

@puneet18, using the same callback url results in error: "The client application failed validation: The default callback url should not be redundantly included in additional callback urls." Any definitive solution to this yet? – Tankersley 14/6, 2018 at 19:6

Adding a second Callback URL to https://mysitecom/auth/twitter/callback fixed the issue (for now)

———-

Update: This actually solved the problem for about 10mins. Experiencing the same problem now

Franchot answered 12/6, 2018 at 23:46 Comment(2)

I'm also experiencing this. Can you expand on what you did? – Randallrandan 12/6, 2018 at 23:56

This actually solved the problem for about like 10mins. Now experiencing same problem – Franchot 13/6, 2018 at 7:20

I'm working in development not production and encountered this problem using the omniauth and omniauth-twitter gems. But with these two callback URL's:

http://127.0.0.1:3000
http://localhost:3000/auth/twitter/callback

the problem is avoided. Strange, since the RailsApps tutorial warns against using 'localhost' at Twitter.

Fourdrinier answered 14/6, 2018 at 19:5 Comment(0)

I just resolved the issue by putting https://domain/oauths/callback in the Callback URLs list. Make sure you enable the callback locking option.

Impassable answered 13/6, 2018 at 17:36 Comment(0)

This is almost certainly related to this change: Action REQUIRED - Sign in with Twitter users must whitelist callback URLs.

From the link:

In 30 days, we will begin enforcing the whitelist such that any URL not added to the whitelist will fail. This means that URLs can no longer be programmatically overridden in calls to the oauth/request_token endpoint 112. The callback_url parameter provided must match one of the whitelisted callback URLs. While we generally provide longer than a 30-day notice for changes like this, this timeline allows us to continue to provide a safe and secure experience for developers and our users.

You can add callback URLs to your whitelist on the applications settings page on apps.twitter.com 488.

Enable the setting “Enable Callback Locking” to test that only URLs you have whitelisted are accepted. Callback URLs will automatically be locked and the whitelist will be enforced starting on June 12th. The “Enable Callback Locking” setting will be removed on this date.

I could not get this to work in development with 127.0.0.1 so I ended up creating a DNS A record that pointed to 127.0.0.1 (e.g., dev.example.com) and used that in the callback url settings on https://apps.twitter.com.

Annotation answered 14/6, 2018 at 3:59 Comment(0)

Unicode domain name. Twitter give me error: unsupportable domain name format. I need exactly match callback url, sending by my server and callback url in my twitter app. Solution: config/initialization/twitter.rb

OmniAuth::Strategies::Twitter.class_eval do
  def callback_url
    return my_custom_twitter_app_callback_url_string_variable
  end
end

Organization answered 14/6, 2018 at 7:17 Comment(1)

my_custom_twitter_app_callback_url_string_variable = 'my.ip.ad.res/auth/twitter/callback' – Organization 15/6, 2018 at 6:16

Recommended topics

Hot tags