I have a Rails 5 (Ruby 2.3.3) app with OmniAuth (1.6.1; omniauth-oauth 1.1.0) and omniauth-twitter (1.4.0). When a user is directed to Twitter for the OAuth flow, they see the following error after tapping the "Authorize application" button:
Whoa there!
There is no request token for this page. That's the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.
The most unfortunate problem about this error is it doesn't happen locally—I have a an identically configured app in Twitter's app management console, save for a different URL (127.0.0.1 for the local app, a Heroku URL for the server).
Additionally, we have other OmniAuth strategies that work without issue locally and in production.
Verify that your system clock is set correctly and that all of your keys are entered correctly. Ensure you're using the right paths (api.twitter.com/oauth/*) and make sure that you're actually sending a request token to the oauth/authorize page and not an access token.
Related
I'm using omniauth-facebook to allow users to login through Facebook on my rails app.
My site is SSL, and the authentication works perfectly in a local environment, but in production I get the following error: "Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://"
I see a lot of similar questions but none of the solutions there work, so I resort to asking. Can anyone help?
I have built an app in Rails and hooked up SSL through expedited SSL and Heroku. I implemented Facebook omniauth for users to log on as well. When using the standard log in method the connection is indeed secure with a green lock showing in chromes browser window. When users log on via Facebook omniauth though, the have a lock with a caution symbol, and the explanation of:
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
Since I am just learning, I do not know if I should be concerned about this or not. My gut says to not worry about it, but it still makes me feel uneasy.
The problem as I was using http: instead of https: inside of a model when grabbing user images. Simple oversight.
Everything works fine in a development/localhost environment.
When deploying to heroku, using sandbox/test credentials on a new app, and creating a new payment I am getting
A PayPal::SDK::Core::Exceptions::UnauthorizedAccess occurred in orders#create:
Failed. Response code = 401. Response message = Unauthorized.
Again, everything thing works in a development environment
Should I permit any specific domains (like in Facebook integration)?
If you are running a Rails application on a public server, there is quite a chance that the Rails environment is set to "production".
If you further use the config/initializers/paypal.rb and config/paypal.yml generated by the Paypal API SDK's standard generator, then:
the initializer loads configuration for the current Rails environment, which is "production"
and in the production configuration one important line presumes that you want to run on the live API
So most probably you are attempting to communicate with the live API without knowing it. Changing the line to mode: sandbox should make you happy.
I had this problem and I called Paypal. It was a config problem in my account.
To resolve I went to https://developer.paypal.com, logged in, Then clicked on Dashboard Then on my account (left) The Direct credit cards has a grey x next to it so you have to click the link next to it that reads Enable live credentials Once you do this you have to answer some verification questions then they approve your account then your live and the unauthorized error goes away.
This problem has puzzled me for a few days, and I think I've finally narrowed it down. I'm using the Facebook JS SDK to do client side authentication:
FB.login(function(response) {
if (response.authResponse) {
var url = "/auth/facebook/callback?redirect=";
url += '&' + $.param({ signed_request: response.authResponse.signedRequest });
window.location = url;
}
}, { scope:'email,publish_stream,publish_actions' })
Note that I'm manually passing in the signedRequest. For some reason when I don't, I get an error that complains that there must be a 'code' parameter or a signed request (OmniAuth Strategies Facebook NoAuthorizationCodeError (must pass either a `code` parameter or a signed request (via `signed_request` parameter):). This is with omniauth-facebook gem version 1.4.0. If I use the latest of 1.4.1, I get the invalid_credentials issue that everyone else seems to be getting.
When I try to log in, something strange happens. I turned on my Chrome debugger, switched to the Network tab. I see two network requests, both GET to
https://www.MYHOST.com/auth/facebook/callback?redirect=&signed_request=BIGSTRINGHERE
However, interestingly the first request has a status of 301 and the second has a status of 302, and the next network request is to the /auth/failure callback. To make things more puzzling, this doesn't reproduce locally, only in production. Locally, it works and only does a single request, which has a http status of 302.
Also it's worth noting that after hitting the failure callback, it returns to my website homepage, which then triggers the autologin feature because it detects the user is a FB user and has an account on the site. This piece of code hits the same callback url and succeeds.
So my question is why is there a second request to the callback and how do I get rid of it to presumably get the login to work correctly? Bonus question is why do I have to manually pass along the signedRequest when tutorials don't seem to have to do this (e.g. RailsCast #360)?
A few notes to clarify and provide details:
I am using omniauth-facebook 1.4.0, omniauth 1.1.4, and omniauth-oauth 1.0.3
I am not using Devise. I also don't seem to be initializing the facebook omniauth more than once.
This issue only happens locally and not in production using the same Facebook app ID and secret. The login url is set to a production domain and I use some local configurations to get production domains to point locally.
The appID and secret are correct (the autologin works, and it works locally).
The Facebook app is not in sandbox mode.
Turns out the issue was that the callback that was redirected to was https. Since that page wasn't available in https, it redirected to http, resulting either in a loss of data or bad data. I failed to notice that the second request was http and not https. Enabling ssl for that callback action fixed the issue.
I am new to developing a Salesforce app and I am using OAuth 1 for authentication.
I am able to generate the Request Token, and I re-direct the user to the salesforce site.
Once I enter my credentials, I get a
Remote Access Authorization Error
There was a problem in setting up your remote access
with
oauth_error_code=1800
In my Login History page, it shows Status as Success for Application type OAuth.
I don't get any entry in my Debug Logs page.
I have enabled Development Mode.
Any ideas whats wrong?
So https://login.salesforce.com/services/oauth2/success is a stub URL for callbacks - and that is the screen you are seeing there, and the access_token variable is your session ID for the user. So the OAuth flow is working correctly.
In the code, you might check to see if oauthResponse.access_token is getting set correctly. If so, it looks like:
sfw.login( setupHomeView );
That is what should tell it to move from that page to the next UI page.
You might also check out the Force.com Mobile SDK (link). It also includes PhoneGap and has a great OAuth wrapper built in.