Twitter oauth2/invalidate_token error "Unable to verify your credentials", "authenticity_token_error"

Question

I'm getting an error when trying to use Twitter oauth2/invalidate_token. The error is: {"errors":[{"code":99,"message":"Unable to verify your credentials","label":"authenticity_token_error"}]}

I'm using the TwitterAPIExchange.php wrapper which you can find here and here. The framework is Codeigniter 3.0 and this code is within a method that is called by AJAX (but I don't think either of those matter to this).

Here is my code:

$settings = array(
    'oauth_access_token' => $this->session->userdata('oauth_token'),
    'oauth_access_token_secret' => $this->session->userdata('oauth_token_secret'),
    'consumer_key' => TWITTER_CONSUMER_KEY,
    'consumer_secret' => TWITTER_CONSUMER_SECRET);

$twitter = new TwitterAPIExchange($settings);
$url = 'https://api.twitter.com/oauth2/invalidate_token';
$requestMethod = 'POST';
$postfields = array('access_token' => $this->session->userdata('oauth_token'));
$response_str = $twitter->buildOauth($url, $requestMethod)
                ->setPostfields($postfields)
                ->performRequest();
$response_arr = [];
parse_str($response_str, $response_arr);

The contents of $response_str is the error. The contents of the oauth_token and oauth_token_secret are the user's not the app's.

As a test, when I replace the call to oauth2/invalidate_token with a GET to statuses/user_timeline.json, it works fine. So it seems the settings are correct. If I replace the relevant lines above, leave the settings alone, this works fine:

$url = 'https://api.twitter.com/1.1/statuses/user_timeline.json';
$getfield = '?user_id=' . $uid;
$requestMethod = 'GET';
$twitter = new TwitterAPIExchange($settings);
echo $twitter->setGetfield($getfield)
     ->buildOauth($url, $requestMethod)
     ->performRequest();

This page in the docs talks about this error in particular, but in the context of it being an app-only request resulting in an error, but this is not an app-only request, and the causes listed don't seem to apply.

Any ideas?

Answer 1

Found the answer. I was confusing two concepts. The oauth2/invalidate_token call is for bearer tokens in the case of application-only authentication, which now makes sense why the error is only documented for that case. I want to revoke a user token, which as I've come to learn, is not possible. So, the only way to manage this is to pretend to revoke the app on my side, and keep track of that. The app will still be auth'd in the user's Twitter account. For an example of this, try Pinterest. You can turn on Twitter through Pinterest and the Pinterest app will show in your Twitter account. If you turn off the app through Pinterest, and look again in your Twitter apps, it will still be there. In other words, you didn't turn it off. I'm leaving this here in case it helps someone else not waste time on this. It seems quite obvious we should be able to revoke an app (e.g Facebook allows this), but it seems you can't with Twitter. If anyone has more or different knowledge on this subject, please post it.