OAuth RequestToken no longer works in Rails 3.1 OAuth::Unauthorized: 401 Unauthorized #106

strukturedkaos opened this Issue Dec 26, 2011 · 9 comments


None yet

6 participants


I successfully implemented a Rails 3.0.9 app as an OAuth provider using the oauth and oauth-plugin gems. However, to Rails 3.1.3, I'm receiving an 401 Unauthorized error when attempting to get the request token. I'm not sure whether it's an incompatibility with the gem or an issue with Rails 3.1.3.

I've been testing locally with the following:

  • Rails 3.1.3
  • oauth (0.4.5)
  • oauth-plugin (0.4.0.rc2)

Consumer Key: BkdI1PnzRuvKDw2Qs1wVxtDrtvmqhUgeXLwNpNtm Consumer

Secret: eCY7JFk4vK6IeWXVq7yS3OMVT1XKpVOWOImsy3iw

Request Token URL: http://localhost:3000/oauth/request_token

Access Token URL: http://localhost:3000/oauth/access_token

Authorize URL: http://localhost:3000/oauth/authorize

In the console:

ruby-1.9.2-p290 :003 > @consumer = OAuth::Consumer.new 
                                   {:site => "http://localhost:3000"}
=> #<OAuth::Consumer:0x007fe93d5bcdf8 @key="BkdI1PnzRuvKDw2Qs1wVxtDrtvmqhUgeXLwNpNtm",

ruby-1.9.2-p290 :004 > @consumer.get_request_token
OAuth::Unauthorized: 401 Unauthorized 
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/oauth-0.4.5/lib/oauth/consumer.rb:219:in `token_request'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/oauth-0.4.5/lib/oauth/consumer.rb:139:in `get_request_token'
from (irb):4
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands/console.rb:45:in `start'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands/console.rb:8:in `start'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands.rb:40:in `<top (required)>'
from script/rails:6:in `require'
from script/rails:6:in `<main>'

I've tried downgrading the oauth and oauth-plugin gems, but that doesn't seem to help. The same setup seems to work as expected in Rails 3.0.9. Any help would be greatly appreciated.



Anyone have any idea what could be going on?


get_request_method wants to get a hash (see: http://oauth.rubyforge.org/rdoc/classes/OAuth/Consumer.html#M000109), but string is provided (https://github.com/pelle/oauth-plugin/blob/master/lib/oauth/controllers/consumer_controller.rb#25 ):

request_url = callback_oauth_consumer_url(params[:id]) + '?' + request.query_string
@request_token = @consumer.get_request_token(request_url)

I have similar issue. I'm using Rails 3.0.11
All works fine at my localhost but raises 401 Unauthorized in production mode.
Where is some articles describing about difference system time between localhost and productions server. But it's didn't helped me. I've change time at local machine trying to pass :oauth_timestamp nothing


I think I have the same issue now with Rails 3.2. When requesting a request_token, I get 401 Unauthorized response. But here is how it looks on server side:

Started POST "/oauth/request_token" for at 2012-04-25 14:11:56 +0300
Processing by OauthController#request_token as /
Rendered text template (0.0ms)
Filter chain halted as #false, :strategies=>:two_legged}, @strategies=[:two_legged]> rendered or redirected
Completed 401 Unauthorized in 56ms (Views: 55.1ms | ActiveRecord: 0.0ms)

Basically it stumbles at this:

oauthenticate :strategies => :two_legged, :interactive => false, :only => [:request_token]

Any suggestion how this can be fixed and what is going on?


I'm not sure if I can advertise another gem here, so excuse me. But I've solved this problem by switching to doorkeeper gem


Hmm, I may have to keep doorkeeper a shot then.


Pretty cool, thanks for the hint!


I had to do a few things to get this working. First the middleware was using find_by_key on ClientApplication which mongoid doesn't support, so I added this:

def self.find_by_key(key)
  ClientApplication.where(key: key).first

Then the 401 unauthorized for /oauth/request_token came up. I noticed it was trying to mass assign nonce and timestamp and showed a warning for this. (We have whitelist attributes on).

So I added:

attr_accessible :nonce, :timestamp

to oauth_nonce.rb and it seemed to fix it.


I had to do a couple of things to fix the 401 unauthorized issue:

1) Removed the two-legged strategy by adding this to the application controller that I wanted to check:

before_filter oauthenticate :interactive => false, :strategies => [:token]

2) Then added this to the application controller in order to set the request variable to token BEFORE the oauthenticate method is executed

before_filter :oauth_strategies

def oauth_strategies
self.request.env["oauth.strategies"] = [:token]

This is just a quick fix to make the basic flow work, there is probably a better solution for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment