Ruby on Rails OAuth application works on client but not on server (OAuth::Unauthorized (401 Unauthorized))

Question

I have a Ruby on Rails application that works great in my computer and in my server. I'm moving this application to another server that runs on another hosting service, and I got a problem related to the OAuth Ruby Gem.

Any request I do using OAuth gem, I get:

OAuth::Unauthorized (401 Unauthorized):
  oauth (0.4.3) lib/oauth/consumer.rb:217:in `token_request'
  oauth (0.4.3) lib/oauth/consumer.rb:139:in `get_request_token'
  ...

My code is:

def self.consumer
  # The readkey and readsecret below are the values you get during registration
  OAuth::Consumer.new("XXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "YYYYYYYYYYYYYYYYYYYYYYYYYYYY", {:site => "http://api.twitter.com"})
end

def create_authorize_url
  @request_token = UserController.consumer.get_request_token(:oauth_callback => "http://mysite.com/callback")
  session[:request_token] = @request_token.token
  session[:request_token_secret] = @request_token.secret

  redirect_to @request_token.authorize_url
end

The problem is that the same code works well on my computer and in another servers. This happens only in one server. There's anything related to the firewall or something that can block OAuth calls?

I searched this error a lot and I didn't get any answer, and that's why I am asking this here.

Thanks.

Answer 1

I found that my Twitter Consumer Key and Secret were in config/application.yml and this file was listed in .gitignore because of which it was not getting pushed to Heroku. As a result, this 401 error was showing up from Twitter OAuth because the app's credentials were missing. The solution was to find the line in the .gitignore file that mentions any configuration file which contains your Twitter (or another OAuth provider's) app's credentials. After removing the line from .gitignore, do

git add .
git commit -m "Added back configuration files for OAuth provider"

and if you're on heroku, you can then do

git push heroku master

and hopefully, this should work.

Answer 2

It could very well be that the server environment you are trying it on is using some kind of reverse proxy setup where the OAuth server has an internal address and port whereas your OAuth client will just see the external routable address.

This will result in different signature base strings on client and server and hence will give you an Authorization error during verification!

We've had similar issues in our setup where everything works fine in development environments but fails in production where we have a very different network setup (DMZ, etc).

As we are using Nginx the solution was to pass the external host to the internal applications server using the proxy_set_header directive:

  server {
     # The external IP
     listen x.x.x.x; 
     ...
     location /api {
        # Internal app server
        proxy_pass http://192.168.1.100:4000;

        # Pass the external IP to the app server
        proxy_set_header Host $host; 
     }
     ....
  }

But also check your server clocks first, NTP is your friend.

Answer 3

My guess is there's a time skew. Try to synchronise the clock using ntpdate (and using ntp in general is also a good idea).

Answer 4

Try rescuing the OAuth::Unauthorized exception and inspecting its wrapped response. Something like:

def create_authorize_url
  @request_token = UserController.consumer.get_request_token(:oauth_callback => "http://mysite.com/callback")
  session[:request_token] = @request_token.token
  session[:request_token_secret] = @request_token.secret

  redirect_to @request_token.authorize_url
rescue OAuth::Unauthorized => e
  logger.error e.response.inspect
end

The OAuth provider may add additional information in the 401 response they send you. A 401 on a request token request seems a little odd to me, but the oauth spec does talk about it some.

One suspicion I have is that the hosting service you are looking to use may be blocked by the provider due to bad behavior. In which case you need to talk to them about it.

But, we can't really know why without more information.

Answer 5

Ok, here's the working server gems and Ruby version.

Gems:

root@phcf:/www/rails# gem list

*** LOCAL GEMS ***

aaronp-frex (1.0.1)
actionmailer (2.3.8, 2.3.5)
actionpack (2.3.8, 2.3.5)
activerecord (2.3.8, 2.3.5)
activeresource (2.3.8, 2.3.5)
activesupport (2.3.8, 2.3.5)
addressable (2.2.1)
chronic (0.2.3)
configuration (1.1.0)
daemons (1.0.10)
eventmachine (0.12.10)
facebook_oauth (0.2.0)
faraday (0.4.6)
fastthread (1.0.7)
gemcutter (0.5.0)
gruff (0.3.6)
heroku (1.10.8, 1.9.13)
highline (1.5.2)
hoe (2.5.0)
hpricot (0.8.2)
json (1.2.2)
json_pure (1.2.3)
launchy (0.3.7)
mime-types (1.16)
multi_json (0.0.4)
mysql (2.8.1)
net-sftp (2.0.4)
net-ssh (2.0.23)
nokogiri (1.4.1)
oauth (0.4.3)
oauth2 (0.0.13)
passenger (2.2.9)
pastiepacker (1.1.1)
rack (1.1.0, 1.0.1)
rails (2.3.8, 2.3.5)
rake (0.8.7)
rest-client (1.4.2)
rmagick (2.12.2)
rubyforge (2.0.4)
rubygems-update (1.3.5)
shared-mime-info (0.1)
steam-condenser (0.10.0, 0.9.0)
thin (1.2.5)
tmail (1.2.7.1)
twitter_oauth (0.4.3)
unicorn (0.96.1)
xmpp4r (0.5)
xmpp4r-simple (0.8.8)

Ruby version:

root@phcf:/www/rails# ruby -v
ruby 1.8.7 (2008-08-11 patchlevel 72) [x86_64-linux]

Answer 6

Sorry. The gems installed on the server:

root@server1:~# gem list

*** LOCAL GEMS ***

actionmailer (2.3.8)
actionpack (2.3.8)
activerecord (2.3.8)
activeresource (2.3.8)
activesupport (3.0.0, 2.3.8)
addressable (2.2.1)
builder (2.1.2)
facebook_oauth (0.2.0)
faraday (0.4.6)
ffi (0.6.3)
hpricot (0.8.2)
json (1.2.4)
mime-types (1.16)
multi_json (0.0.4)
oauth (0.4.3, 0.3.5)
oauth2 (0.0.13)
rack (1.1.0)
rails (2.3.8)
rake (0.8.7)
ruby-hmac (0.4.0)
ruby-mysql (2.9.3)
rubygems-update (1.3.7)
sqlite3-ruby (1.3.1)
tmail (1.2.7.1)
twitter_oauth (0.4.3)

Server's Ruby version:

root@server1:~# ruby -v
ruby 1.8.7 (2010-01-10 patchlevel 249) [x86_64-linux]

Thanks for helping.