views:

1671

answers:

6

I am implementing some ruby on rails code tweet stuff for my users. I am creating the proper oauth link...something like

http://twitter.com/oauth/authorize?oauth_token=y2RkuftYAEkbEuIF7zKMuzWN30O2XxM8U9j0egtzKv

But after my test account grants access to twitter, it pulls up a page saying "You've successfully granted access to . Simply return to and enter the following PIN to complete the process. 1234567"

I have no idea where the user should enter this PIN and why they have to do that. I don't think this should be a necessary step. Twitter should be redirecting the user to the callback URL I provided in the application settings. Does anyone know why this is happening?

UPDATE I found this article that states I need to send my users to this URL (note "authenticate" instead of "authorize"):

http://twitter.com/oauth/authenticate?oauth_token=y2RkuftYAEkbEuIF7zKMuzWN30O2XxM8U9j0egtzKv

I made the change but Twitter redirects the user to the authorize path after he clicks "Allow" which then gives him the 7 digit PIN again!

+3  A: 

OAuth 1.0a added the PIN to solve a social engineering attack to which OAuth 1.0 was vulnerable. But the PIN is only necessary to be entered manually by the user if your application is a desktop/iphone app. If it's a web app the PIN should flow automatically as part of the browser redirects and the user shouldn't have to see or enter this.

So if your app is a web app, then there's a bug either in your OAuth library or your use of it. If your app is a desktop app, this is a "feature" designed to keep your users safe.

Andrew Arnott
My app is a web app. According to the Twitter docs, taking the user to /oauth/authenticate will tell Twitter that my app is a web app and to include the PIN automatically. However, after clicking Allow, Twitter is redirecting to /oauth/authorize which is the path for Desktop apps. I don't see how I can change anything on my side to fix this.
Tony
Well, considering that no other Twitter web app has this problem, it's gotta be on the client side. Now, it might also be that you have your twitter.com/oauth_client setup for your web app to be a desktop app. I recommend double-checking that Twitter knows that your consumer_key is associated with a web app and not a desktop app. Failing that, I return to "it's a bug in your library or the way you're using it."
Andrew Arnott
You were right about an oauth bug. Getting oauth 0.3.4 fixed my application. The issue is with oauth 0.3.5
Tony
+1  A: 

If you don't specify an oauth_callback parameter with the URL you'd like the user redirected to when they accept, it will default to the pin-based authentication mechanism. Using oauth_callback=oob will also trigger the pin-based authentication flow.

Nathan de Vries
that did not work for me. for twitter, they have a callback parameter you can set in the application settings...so i am not sure sending a URL param will make a difference but thanks for the response
Tony
A: 

I just changed it from Desktop Application to Web Application on Twitter's setting Page & its fine for me....:)

Rajiv
A: 

I have the same problem...Twitter keeps giving me a PIN.

Did you solve the problem?

Regards

Ivan

Ivan
A: 

I noticed that when I use the

config.gem "twitter", :version => "0.6.12"

twitter redirects fine and don't show the pin

but when I use the newer gem version

config.gem "twitter", :version => "0.9.2"

it always shows the pin.

This definitely needs further investigation, and may be solved with further configuration that I didn't do with the newer GEM.

Roy
+1  A: 

Just log in to you twitter account and edit the application to change from Desktop to Browser Everybody is doing that mistake including myself.