Twitter external login with Owin gives HTTP 403 (Forbidden)

Question

ASP.NET MVC 5 Project.
Owin Version 4.0.0.0

Startup.Auth

app.UseTwitterAuthentication(
  consumerKey: "somekey",
  consumerSecret: "someSecretKey");

The exception happened in the ExternalLogin method

Response status code does not indicate success: 403 (Forbidden).

Here are the callback URLs

FYI: the website is real and it is working without problem, The Twitter Login was working a couple of weeks ago, but Now, suddenly, started to fail with the previous error.

StackTrace

[HttpRequestException: Response status code does not indicate success: 403 (Forbidden).]
   System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +121834
   Microsoft.Owin.Security.Twitter.<ObtainRequestTokenAsync>d__23.MoveNext() +2387
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Twitter.<ApplyResponseChallengeAsync>d__12.MoveNext() +1091
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<ApplyResponseCoreAsync>d__b.MoveNext() +376
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<ApplyResponseAsync>d__8.MoveNext() +475
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<TeardownAsync>d__5.MoveNext() +215
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +968
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +197
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +768
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.AspNet.Identity.Owin.<Invoke>d__0.MoveNext() +448
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.AspNet.Identity.Owin.<Invoke>d__0.MoveNext() +448
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.AspNet.Identity.Owin.<Invoke>d__0.MoveNext() +448
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +197
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<DoFinalWork>d__2.MoveNext() +184
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +117
   System.Web.<>c__DisplayClass11_0.<InvokeEndHandler>b__0() +41
   System.Web.AsyncEventExecutionStep.InvokeEndHandler(IAsyncResult ar) +151
   System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +156

Answer 1

We had a similar issue in the past week or two and found that Twitter, while previously not validating the callback URL, have started checking it.

The login flow for Twitter is like this:

1. Client calls your backend.
2. Backend calls Twitter API with callback URL, keys, etc.
3. Twitter issues a login URL.
4. Backend redirects client to login URL as a result of the challenge.
5. Client logs in on Twitter (and authorises the app)
6. Twitter redirects to the callback URL (usually https://www.example.com/signin-twitter unless you specify an alternative callbackPath)
7. Backend receives Twitter tokens.

The callback URL validation happens at #2 and will return a 403 to the client if it fails.

I note in your image that your callbackPath is /twittersignin but you're not configuring it on the ASP.NET side, so ASP.NET is using /signin-twitter. You should update your callback URLs on Twitter (via the developer portal) to reflect this.