Callback URL not approved by Twitter

8
votes

My application built upon spring-social-twitter that enables users to sign in with Twitter has stopped working recently.

I've got an error message as below:

Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings

Note: I'm using Spring Social Twitter version 1.1.2.RELEASE. And if you use Spring Social Twitter version 1.1.0.RELEASE, you might get a slightly different error message as below:

POST request for "https://api.twitter.com/oauth/request_token" resulted in 403 (Forbidden); invoking error handler

2
twitteroauth-2.0spring-socialspring-social-twitter

2 Answers

5
votes

Twitter recently (in May 2018) enforced that sign-in-with-Twitter users must whitelist callback URLs for security reasons (see the announcement).

This means callback URLs have to be explicitly and identically set up for all supported third-party applications. You can setup the callback URLs in your Twitter's application setup page: https://apps.twitter.com

For example, if your callback URL is http://localhost:8080/myApp/signin/twitter, you must add it to the list of Callback URLs in your Twitter's application setup page exactly as it is: http://localhost:8080/myApp/signin/twitter

enter image description here

See also the documentation on Twitter callback URLs.

3
votes

I struggled with this since Twitter made the changes to increase security. My android app would use a callback URL and the same URL in the Intent Filter. But since the change, the URL I was using had to be registered in the Twitter developer portal. I was using ouath://myapp, but Twitter does not accept that as a valid URL (website).

After a bit of digging, I found that for apps you can specify any scheme but only as a scheme. For example I used myapp:// as the callback URL.

In my app, my callback URL was myapp://whatever, and in the Intent filter, I used :

<data android:scheme="myapp" android:host="whatever">

Twitter accepted the callback URL and it correctly redirected back to my app after the user authenticated with their Twitter credentials.

I has originally used just a normal website, and that worked too, but after validation by Twitter, it asked if I wanted to redirect to My App, or to a Chrome browser. Using the above approach it will simply return to your app.

After I did all this, I realized that I could have just added Oauth:// as a call back URL and my app would have worked without change.