Search code examples
androidtwitterdjango-rest-frameworkpython-social-auth

python social auth twitter 403 followed by 220

I am trying to authorize from Android using Python social, I am passing my token in format: "xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Set the backend="twitter" and "grant_type":"convert_token"

The same thing I do for Facebook and works.

I got proper settings

SOCIAL_AUTH_TWITTER_KEY = os.environ.get('SOCIAL_AUTH_TWITTER_KEY', '')
SOCIAL_AUTH_TWITTER_SECRET = os.environ.get('SOCIAL_AUTH_TWITTER_SECRET', '')

but whenever it hits the Twitter backend class at method: user_data i.e calling the Twitters API verify_credentials.json endpoint.

it crashes with 400 response followed by:

{
  "error": "invalid_request",
  "error_description": "Backend responded with HTTP403: {\"errors\":[{\"message\":\"Your credentials do not allow access to this resource\",\"code\":220}]}."
}

I tried manually to recreate things, but the same thing happens.

I am aware of the 31 October Twitter API changes, and I added the callback urls in the Twitter's developers panel, both for the app and live/developement servers.

twittersdk://
http://127.0.0.1:8000/auth/complete/twitter/

I changed the permissions to read + write just in case, but no use

Access permission
Read, write, and direct messages
Additional permissions
Request email address

Also, I refreshed the key and secret twice already and carefully placed them on backend and Android.

Before 2018.10.31 the same setup was working, but out of the sudden nothing works.

From Android I call:

TwitterCore.getInstance().getSessionManager().getActiveSession
                ().getAuthToken().token;

to retrieve the token.

The token is retrieved by Android using https://api.twitter.com/1.1/account/verify_credentials.json

Updates

I tested manually with a help of twurl (ruby app)

twurl authorize -u 'myuser@gmail.com' -p 'mypassword' -c 'xxxxxxxxxxxxxxxxxxxxxxxxx' -s 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' -a

then in ~/.twurlrc there is an access_token (exactly like Android is is passing).

However, the GET request verify_credentials.json needs token_secret as well as I debugged, property which I don't pass on the convert_token from Android

Image showing success:

Insomnia test reqyest

Question: Do I need to extend the Twitter backend and pass token_secret param and how ?

Solution

  • SOLUTION

    https://github.com/RealmTeam/django-rest-framework-social-oauth2/issues/15 Here says that I need to pass oauth_token_secret

     curl -X POST -d "grant_type=convert_token&client_id=<client_id>&backend=twitter&token=oauth_token=<token>%26oauth_token_secret=<secret_token>" http://localhost:8000/auth/api/convert-token

    Sending this as application/x-www-form-urlencoded in the request works as needed for the Android app.