Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do users have to enter a 7-digit twitter PIN to grant my application access?

Tags:

ruby

ruby-on-rails

oauth

twitter

I am implementing some ruby on rails code tweet stuff for my users. I am creating the proper oauth link...something like

http://twitter.com/oauth/authorize?oauth_token=y2RkuftYAEkbEuIF7zKMuzWN30O2XxM8U9j0egtzKv

But after my test account grants access to twitter, it pulls up a page saying "You've successfully granted access to . Simply return to and enter the following PIN to complete the process. 1234567"

I have no idea where the user should enter this PIN and why they have to do that. I don't think this should be a necessary step. Twitter should be redirecting the user to the callback URL I provided in the application settings. Does anyone know why this is happening?

UPDATE I found this article that states I need to send my users to this URL (note "authenticate" instead of "authorize"):

http://twitter.com/oauth/authenticate?oauth_token=y2RkuftYAEkbEuIF7zKMuzWN30O2XxM8U9j0egtzKv

I made the change but Twitter redirects the user to the authorize path after he clicks "Allow" which then gives him the 7 digit PIN again!

like image 469
Tony Avatar asked Aug 11 '09 20:08

Tony

3 Answers

OAuth 1.0a added the PIN to solve a social engineering attack to which OAuth 1.0 was vulnerable. But the PIN is only necessary to be entered manually by the user if your application is a desktop/iphone app. If it's a web app the PIN should flow automatically as part of the browser redirects and the user shouldn't have to see or enter this.

So if your app is a web app, then there's a bug either in your OAuth library or your use of it. If your app is a desktop app, this is a "feature" designed to keep your users safe.

like image 92
Andrew Arnott Avatar answered Nov 15 '22 03:11

Andrew Arnott

If you don't specify an oauth_callback parameter with the URL you'd like the user redirected to when they accept, it will default to the pin-based authentication mechanism. Using oauth_callback=oob will also trigger the pin-based authentication flow.

like image 34
Nathan de Vries Avatar answered Nov 15 '22 03:11

Nathan de Vries

Just log in to you twitter account and edit the application to change from Desktop to Browser Everybody is doing that mistake including myself.

like image 29
Chandrachur Avatar answered Nov 15 '22 04:11

Chandrachur
Sign in to Comment

Related questions

MySQL: ERROR 1006 (HY000) Can't create database (errno: 26469527)
Rails db:migrate:reset producing Errno::EACCES Permission denied @unlink_internal
Rails 5 deprecation warning and adding code to initializers?
Rails_admin and pundit: undefined method `policy' for #<RailsAdmin::MainController
bind rails app on the IP provided by the host with 3000 port
How to make a Facebook pixel fire on a rails controller action
How to open post Show page in a modal with Ruby on Rails 5
Rails - ArgumentError in using ActiveRecord::Enum
cannot load such file — sqlite3/sqlite3_native (LoadError) Ruby on Rails
Rails 5 - Active Storage - Variant - Exception: "#<MiniMagick::Error: `mogrify -resize-to-fit [800, 800]"
schema.rb crashes for enum type in postgres
Search text in ActionText attribute
Ruby custom method chaining
Overriding "find" in ActiveRecord the DRY way
Rails: tracking a user's ID
Rails - Two controllers or adding actions?
In Rails, How do I validates_uniqueness_of :field with a scope of last 6 months
Functional testing Authlogic?
AJAX Rails Validation
Heroku eating my custom HTTP Headers

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!