PIN response in web-based OAuth app

[Elliott Kember]

Hey guys,

I'm having a few problems with the OAuth API and my browser-based app
- it's giving me PIN numbers at the /oauth/authorize page, even though
it's set to return to a callback in the OAuth settings - I've
rechecked my settings, and the application is definitely set as a
browser app.

I'm guessing this is something to do with the new PIN-based desktop
app code, just wondering when it'll be fixed - or whether I'm doing
something wrong!

Thanks,
Elliott

[Keith Hanson]

Same here, actually, for tweetingtoohard.com (tried to post here
before but it looks like it got eaten :P)

We've put up a snarky message in the meantime about the blunders :P
But please do correct us if we have done something incorrect.

-- Keith Hanson
@big_love
keith (at) tweetingtoohard.com

[Matt Sanford]

Hi there,

Are you by chance passing anything in to the request_token call
for the value of oauth_callback? I checked out a few other services
and they seemed fine. If you're sending oauth_callback=oob (a.k.a.
"out of band") then the system is forced into the PIN flow. We're
working on docs for all of this now but let me know if that's what
you're sending.

— Matt

[Elliott Kember]

Hey Matt,

Yep, I'm passing oauth_callback - and it does look like that's the
problem, because I have another app which doesn't send it, and it's
working fine.

Is this by design, or will it be changed back? I don't need it to use
the oauth_callback url that I pass, but it'd be good to return to the
specified callback URL by default.

Thanks,
Elliott

[Elliott Kember]

Sorry - having said that, I've removed the oauth_callback parameter
and the behaviour is still persisting - and it also doesn't save the
authentication so I have to hit Allow every time.

[Keith Hanson]

I'm actually not using an oauth callback parameter and am getting this
behavior.

I'm running on Sinatra at the moment, but have implemented my login
routine by pretty much copy/pasting the Rails tutorial in the API
Wiki.

I'm using the gem OAuth 0.3.5 for redirecting and what-not.

I did take a look at the redirect url, though, and didn't see any
oauth_callback params set. It sounds as if they shouldn't be there
anyways, correct?

[jotto]

I also do not use oauth_callback and this is happening to me as well.

I have emailed a...@twitter.com and Doug Williams responded.

[lebreeze]

I'm seeing exactly the same behaviour and it just started happening a
few hours ago

App is http://moodmapr.com

Users just cannot login but instead are provided with a PIN

[Matt Sanford]

Hi there,

I just checked the tokens generated on several of these services
and I see oauth_callback was set to "oob". Doug is working on the docs
right now to make it clear how all of this shakes out. The end result
is that if you want to use the pre-configured callback url don't send
an oauth_callback parameter at all. If you're seeing this error but
are not sending the oauth_callback parameter please email me off list
with a copy of the URL, headers and body where you make the
request_token call so I can try and debug the issue. It doesn't seem
to be all apps which is what I would expect in the case of a bug.

Thanks;
– Matt Sanford / @mzsanford
Twitter Dev

[Keith Hanson]

Huzzah!

It looks like the OAuth gem, when not given the parameter
oauth_callback, automatically passes oob, FTL! :P

So... in our case, we simply did this:
consumer = OAuth::Consumer.new("TOKENZ", "SECRETZ", { :site=>"http://
twitter.com" })
consumer.get_request_token(:oauth_callback => "http://
tweetingtoohard.com/auth_success")

And now things are looking like they ought to :)

Hope that helps anyone else who may be using the OAuth gem with
Ruby :P

--Keith

On Jun 9, 6:16 pm, Matt Sanford <m...@twitter.com> wrote:
> Hi there,
>

>      I just checked the tokens generated on several of these services  
> and I see oauth_callback was set to "oob". Doug is working on the docs  
> right now to make it clear how all of this shakes out. The end result  
> is that if you want to use the pre-configured callback url don't send  
> an oauth_callback parameter at all. If you're seeing this error but  
> are not sending the oauth_callback parameter please email me off list  
> with a copy of the URL, headers and body where you make the  
> request_token call so I can try and debug the issue. It doesn't seem  
> to be all apps which is what I would expect in the case of a bug.
>
> Thanks;
>   – Matt Sanford / @mzsanford
>       Twitter Dev
>
> On Jun 9, 2009, at 3:53 PM, lebreeze wrote:
>
>
>
> > I'm seeing exactly the same behaviour and it just started happening a
> > few hours ago
>

> > App ishttp://moodmapr.com

[Levent Ali]

I have made little to no changes and this behaviour just started
happening this evening

Try logging in at http://moodmapr.com to see what happens

I have commented out all the lines of code that pass 'oauth_callback'
in the url on my development environment and it doesn't seem to make a
difference

https://twitter.com/oauth/authorize?oauth_token=TOKEN
or as it used to be (and is in production)
https://twitter.com/oauth/authorize?oauth_token=
TOKEN&oauth_callback=http%3A%2F%2Fmoodmapr.local%2Foauth_callback

My app is a ruby app (rails) using the twitter-auth gem (0.1.21) and
oauth (0.3.5)

Again everything was perfect until a few hours ago was seems to
coincide with everyone else having this issue

[lebreeze]

I managed to get the old behaviour back by modifying the oauth gem to
not set a default oauth_callback (oob)

For some reason the twitter-auth gem is not passing over the
configuration to override the default

I'm too tired to investigate further at the minute but will keep
looking in the morning (GMT)

On Jun 10, 12:16 am, Matt Sanford <m...@twitter.com> wrote:
> Hi there,
>

>      I just checked the tokens generated on several of these services  
> and I see oauth_callback was set to "oob". Doug is working on the docs  
> right now to make it clear how all of this shakes out. The end result  
> is that if you want to use the pre-configured callback url don't send  
> an oauth_callback parameter at all. If you're seeing this error but  
> are not sending the oauth_callback parameter please email me off list  
> with a copy of the URL, headers and body where you make the  
> request_token call so I can try and debug the issue. It doesn't seem  
> to be all apps which is what I would expect in the case of a bug.
>
> Thanks;
>   – Matt Sanford / @mzsanford
>       Twitter Dev
>
> On Jun 9, 2009, at 3:53 PM, lebreeze wrote:
>
>
>
>
>
> > I'm seeing exactly the same behaviour and it just started happening a
> > few hours ago
>

> > App ishttp://moodmapr.com

[Elliott Kember]

Surely this is all moot anyway - can't the OAuth process just redirect
if the application only accepts callbacks? We set a preference for
callbacks in the OAuth settings, so why are we being forced into PIN
verification?

[Matt Sanford]

Hi again,

Nobody is forcing you to use the PIN unless you're registered as
a desktop app (which has no callback). The issue here is that the
library you are using is setting a value of "oob" and specifically
requesting the PIN flow. I have filed an issue with the gem maintainer
on github [1] and hopefully the default can be changed. You can get
around this right now by passing the callback into your
get_request_token call as described in one of my previous emails.

Thanks;
– Matt Sanford / @mzsanford
Twitter Dev

[1] - http://github.com/mojodna/oauth/issues#issue/7

[Jonathan Otto]

Quick fix/patch/hack for the Ruby OAuth gem - just load this after
the gem is loaded. A Rails initializer will work.

http://gist.github.com/127313

[Jochen Kaechelin]

Am 10.06.2009 um 18:14 schrieb Jonathan Otto:

>
> Quick fix/patch/hack for the Ruby OAuth gem - just load this after
> the gem is loaded. A Rails initializer will work.
>
> http://gist.github.com/127313

I still have problems - even with this gist above!!
I'am using oauth-gem 0.35.

I always get a 401 error!!!!

How to deal with "oauth_verifier"??? Do I need special database fields
to store it?

def self.consumer
OAuth::Consumer.new("XXXX", "XXXX", { :site=>"http://
twitter.com" })
end

def sign_in
@request_token =
UsersController.consumer.get_request_token(:oauth_callback => "http://www.xxx.de/callback
")
session[:request_token] = @request_token.token
session[:request_token_secret] = @request_token.secret
redirect_to @request_token.authorize_url
return
end

def callback
@request_token =
OAuth::RequestToken.new(UsersController.consumer,
session[:request_token], session[:request_token_secret])
@access_token = @request_token.get_access_token
@response = UsersController.consumer.request(:get, '/account/
verify_credentials.json', @access_token, { :scheme => :query_string })
....
....

[themire]

I'm having the same problem as Jochen - always getting a 401
Unauthorized error on the callback.

I had the initial problem with the PIN response, but got around it by
explicitly passing the callback into the initial get_request_token
call but now have run into this 401 problem.

I haven't got the github gist but have the same code as Jochen above.

[Michael Twentyman]

Verified... I redefined the method to exclude the oauth_callback
default from being set and that returned the service to normal
function.

OAuth::Consumer.class_eval do
def get_request_token(request_options = {}, *arguments)
response = token_request(http_method, (request_token_url? ?
request_token_url : request_token_path), nil, request_options,
*arguments)
OAuth::RequestToken.from_hash(self, response)
end
end

Doug Mentions the changes here for anyone that's curious about what
changed:

http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9

[themire]

I've read that we must now attach the oauth_verifier to the request
for the access_token.

I'm a bit confused as to how to do this. Can anyone clarify?