Omniauth-twitter with Rails 5 stopped working! OAuth::Unauthorized 403 Forbidden

Question

Everything was working fine and Omniauth has stopped working suddenly. I didn't make any code changes.

I checked Twitter Apps Settings: I have callback url to my main production url, and Callback URL Locked to No. All keys are correct.

Any idea?

OAuth::Unauthorized

403 Forbidden

I also tried to regenerate tokens. Still same issue! – Designer Jun 12 '18 at 23:09 — Designer, Jun 12 '18 at 23:09
Related? https://stackoverflow.com/q/50560813 – Pang Jun 14 '18 at 00:41 — Pang, Jun 14 '18 at 00:41

score 15 · Accepted Answer · edited Jun 18 '18 at 14:27

15

I have been able to solve it (also for development) adding this urls:

For production:

https://mydomain/users/auth/twitter/callback
http://mydomain/users/auth/twitter/callback

For development:

http://localhost:3000/users/auth/twitter/callback

edited Jun 18 '18 at 14:27

Community

1
1

answered Jun 14 '18 at 06:47

antoniobg

568
1
6
10

This seems to be the working solution. Works both locally and in production. – Joe Jun 14 '18 at 19:09
Wow, thanks @antoniobg87! I was missing the users/ part as opposed to just adding auth/twitter/callback. This worked for me in production. Cheers – Christine S Jun 14 '18 at 22:17

puneet18 · Answer 2 · 2018-06-14T04:55:52.107

6

Now on twitter callback URL, you must have to add 2 callback URLs and the callback URL must be the path of your application.

I had faced the same problem, now on adding the 2nd callback URL, it's fixed.

For more information check: https://twittercommunity.com/t/action-required-sign-in-with-twitter-users-must-whitelist-callback-urls/105342

edited Jun 14 '18 at 04:55

answered Jun 13 '18 at 06:35

puneet18

4,341
2
21
27

Hey yes, I tried same. Adding a second one as https://mysitecom/auth/twitter/callback fixed for a 10mins. Now experiencing same problem. What url do you exactly give? Thanks! – Designer Jun 13 '18 at 07:14
@Designer what url you added in callback ? – puneet18 Jun 13 '18 at 13:02
2

mysitedotcom/ and mysitedotcom/auth/twitter/callback and both with h t t p s – Designer Jun 13 '18 at 14:08
Someone better fire an issue at Omniauth repo – truongnm Jun 14 '18 at 02:37
@Designer try callback url: http://mysitedotcom/users/auth/twitter/callback and https://mysitedotcom/users/auth/twitter/callback, you must have to add 2 urls – puneet18 Jun 14 '18 at 04:51
@puneet18, using the same callback url results in error: "The client application failed validation: The default callback url should not be redundantly included in additional callback urls." Any definitive solution to this yet? – Joe Jun 14 '18 at 19:06

Designer · Answer 3 · 2018-06-13T07:21:08.443

4

Adding a second Callback URL to https://mysitecom/auth/twitter/callback fixed the issue (for now)

———-

Update: This actually solved the problem for about 10mins. Experiencing the same problem now

edited Jun 13 '18 at 07:21

answered Jun 12 '18 at 23:46

Designer

1,061
1
12
26

I'm also experiencing this. Can you expand on what you did? – spitfire109 Jun 12 '18 at 23:56
This actually solved the problem for about like 10mins. Now experiencing same problem – Designer Jun 13 '18 at 07:20

score 1 · Answer 4 · answered Jun 14 '18 at 19:05

I'm working in development not production and encountered this problem using the omniauth and omniauth-twitter gems. But with these two callback URL's:

http://127.0.0.1:3000
http://localhost:3000/auth/twitter/callback

the problem is avoided. Strange, since the RailsApps tutorial warns against using 'localhost' at Twitter.

score 0 · Answer 5 · edited Jun 14 '18 at 15:55

0

I just resolved the issue by putting https://domain/oauths/callback in the Callback URLs list. Make sure you enable the callback locking option.

edited Jun 14 '18 at 15:55

Andrew Myers

2,754
5
32
40

answered Jun 13 '18 at 17:36

Dhaval Parikh

1
1

score 0 · Answer 6 · answered Jun 14 '18 at 03:59

This is almost certainly related to this change: Action REQUIRED - Sign in with Twitter users must whitelist callback URLs.

From the link:

In 30 days, we will begin enforcing the whitelist such that any URL not added to the whitelist will fail. This means that URLs can no longer be programmatically overridden in calls to the oauth/request_token endpoint 112. The callback_url parameter provided must match one of the whitelisted callback URLs. While we generally provide longer than a 30-day notice for changes like this, this timeline allows us to continue to provide a safe and secure experience for developers and our users.

You can add callback URLs to your whitelist on the applications settings page on apps.twitter.com 488.

Enable the setting “Enable Callback Locking” to test that only URLs you have whitelisted are accepted. Callback URLs will automatically be locked and the whitelist will be enforced starting on June 12th. The “Enable Callback Locking” setting will be removed on this date.

I could not get this to work in development with 127.0.0.1 so I ended up creating a DNS A record that pointed to 127.0.0.1 (e.g., dev.example.com) and used that in the callback url settings on https://apps.twitter.com.

score 0 · Answer 7 · answered Jun 14 '18 at 07:17

0

Unicode domain name. Twitter give me error: unsupportable domain name format. I need exactly match callback url, sending by my server and callback url in my twitter app. Solution: config/initialization/twitter.rb

OmniAuth::Strategies::Twitter.class_eval do
  def callback_url
    return my_custom_twitter_app_callback_url_string_variable
  end
end

answered Jun 14 '18 at 07:17

sunnmas

1

my_custom_twitter_app_callback_url_string_variable = 'http://my.ip.ad.res/auth/twitter/callback' – sunnmas Jun 15 '18 at 06:16

Omniauth-twitter with Rails 5 stopped working! OAuth::Unauthorized 403 Forbidden

7 Answers7