OAuth::Unauthorized (401 Unauthorized)

[billym]

Hi. Since we upgraded to rail 3.2 our 3-legged authorization to twitter (https://dev.twitter.com/docs/auth/3-legged-authorization) has stopped working and we get the following error:

OAuth::Unauthorized (401 Unauthorized):
oauth (0.4.7) lib/oauth/consumer.rb:216:in token_request' oauth (0.4.7) lib/oauth/tokens/request_token.rb:18:inget_access_token'
app/controllers/twitter_controller.rb:40:in `callback'

Nothing was changed in the code, or keys.
I have googled and tried several solutions from others who have had similar 401 problems but nothing works:
-the server time is correct on all servers tested.
-The callback url is set in the Twitter (My applications) area, even tho oauth 1.0a doesn't require it as it is passed in our call to twitter:

options = {
:site => "https://api.twitter.com",
:scheme => :header
}
consumer = OAuth::Consumer.new(token, secret, options)
request_token = consumer.get_request_token(:oauth_callback => callback_url)
session[:request_token] = request_token

On the callback to our app is where the problem occurs when we try to get_access_token:

def callback
request_token = session[:request_token]
access_token = request_token.get_access_token
...
end

We are on Ruby 1.9.3-p327, rails 3.2.10. Any help would be appreciated. Let me know if more debugging output is needed.

[jarthod]

I'm experiencing the same issue, did you find any solution ?

[billym]

I haven't :(
Spent a lot of time on stackoverflow, on twitter's dev site, and so on. All the "solutions" they posted I tried but none worked.

[jarthod]

Ok I found the solution based on this post: http://stackoverflow.com/questions/2612745/oauth-gives-me-401-error

It seems the oauth_verifier is now mandatory when requesting the access token, so I just added it in the callback:

request_token.get_access_token oauth_verifier: params[:oauth_verifier]

We should probably update the readme or add some gotcha ?

[billym]

I'm testing now and still getting same error. Hmm. Going to check keys and settings and test some more.

[jarthod]

I deployed and it's working fine for me. Here is my full controller:

class TwitterController < ApplicationController

  def start_oauth
    request_token = oauth_consumer.get_request_token(:oauth_callback => twitter_oauth_callback_url)
    flash[:request_token] = request_token
    redirect_to request_token.authorize_url
  end

  def oauth_callback
    request_token = flash[:request_token]
    if request_token
      @token = request_token.get_access_token oauth_verifier: params[:oauth_verifier]
    else
      redirect_to twitter_oauth_url
    end
  end

  private

  def oauth_consumer
    config = Rails.application.config.twitter
    options = {
      :site => "https://api.twitter.com",
      :scheme => :header
    }

    OAuth::Consumer.new(config[:consumer_key], config[:consumer_secret], options)
  end

end

[billym]

I just tested again (locally), now it's working. Interesting. Let me test on a test server, then on production...

[billym]

Ok the fix works! Thank you jarthod . Glad you found that stackoverflow question. I guess they do need to update the readme/wiki. I'm going to close this.

[dagumak]

@jarthod I know this is an old post, sorry for bringing this up. Just out of curiosity, why is it safe for you to put the request_token in the flash? For example, why not a session?

[jarthod]

@dagumak the flash storage is in the session, so the safety is the same, it's just that the flash hash is discarded after 1 requests so this avoids any issue with non terminated oauth calls picking up old tokens.

[kieraneglin]

@jarthod Sorry to bring up this old thread, but I'm having a rough time with Twitter.

I'm running into the issue that storing the request_token object in a session serializes it as a hash. This is not a huge problem, since I can deserialize it with something like:

request_token = OAuth::RequestToken.from_hash(consumer, request_token_hash)

However, using the get_access_token method on this object returns OAuth::Unauthorized Exception: 401 Authorization Required with no additional status codes. My get_access_token call looks like so:

request_token.get_access_token(oauth_verifier: params[:oauth_verifier])

---

What I'm wondering is if you've had to update this script and, if so, what have you changed? Twitter is giving me such a hard time with OAuth.

[kieraneglin]

Ah, I spoke too soon. My issue was the serialization after all, but I fixed it with

session[oauth.token] = Marshal.dump(request_token)

In the first step, then

request_token = Marshal.load(session[params[:oauth_token]])

In the second step.

[jarthod]

@kieraneglin Ok glad you found the answer ;)