How to fix "invalid return_url" error when creating oauth token for Trello with httr?

Question

I want to manage my Trello cards and boards using the trelloR package but when I try to create a token with the get_token function, I get an error message on my browser : "Invalid return_url".

my_token <- get_token(key = my_key, secret = my_secret)

my_key is my personal Trello API key and my_secret is my OAuth secret. I got them on the Trello page that gives you your authentication codes, after login : https://trello.com/app-key

To use the Trello API and to access to boards, I need a token. This token is generated with OAuth1.0 by the httr package. Indeed, the function get_token do something like this, according to Jakub Chromec, author and maintainer of trelloR here :

trello.app = httr::oauth_app(
  appname = "trello-app",
  key = my_key,
  secret = my_secret)

trello.urls = httr::oauth_endpoint(
  request = "OAuthGetRequestToken",
  authorize ="OAuthAuthorizeToken?scope=read&expiration=30days&name=trello-app",
  access = "OAuthGetAccessToken",
  base_url = "https://trello.com/1")

httr::oauth1.0_token(
  endpoint = trello.urls,
  app = trello.app)

When I execute this code or the function get_token with my personal key and secret, I am redirected to my browser, which is normal. As described on this page, a screen should appear asking me to allow authentication. But instead I just have an error message in the browser : "Invalid return_url".

In the RStudio console, this remains displayed :

> my_token <- get_token(my_key, my_secret)
Waiting for authentication in browser...
Press Esc/Ctrl + C to abort

I'm using httr 1.4.1, curl 4.2 and trelloR 0.6.0 with R 3.6.1 under macOS 10.15.

Answer 1

Some people reported the problem started after the introduction of Allowed Origins and they were able to fix it by adding the following origin:

http://localhost:1410

on the appkey page. This is a bit surprising to me as the default * should cover all origins, but there you go.

Answer 2

Trying this today (11/23/2019), I could not get wildcards to work as Allowed Origins. You should specify the domain of where you are running the call for authorization.

One source of confusion: The comments under "Allowed Origins" on https://trello.com/app-key refer to sites that "your application is allowed to redirect back to following the authorization flow." That was a bit confusing to me. The list should include sites you want to redirect back to IN ADDITION TO the sites you are calling Trello.authorize() from.

If you are thinking "I don't need a redirect" (and, in fact, if you are using client.js, I don't think you can specify a redirect), then those comments under "Allowed Origins" could lead you to believe you don't need to specify anything there. That would be incorrect.

Summary: Even if you want NO post-authorization re-direct, you still have to list an ORIGIN.

Also, you cannot specify file:// in Allowed Origins, so you cannot run your javascript off a local file.