Django AllAuth with Twitter Error: "No access to private resources at api.twitter.com"
Question:
I’m trying to setup the Django AllAuth Twitter login. When the user authenticates with Twitter and is redirected to my website, Django AllAuth raises the Error "No access to private resources at api.twitter.com" and I’m pretty lost here. I have the following settings in my settings.py:
SOCIALACCOUNT_PROVIDERS = {
"twitter": {
# From https://developer.twitter.com
"APP": {
"client_id": os.environ["TWITTER_API_KEY"],
"secret": os.environ["TWITTER_API_SECRET"],
}
},
}
Stack Trace:
DEBUG Signing request <PreparedRequest [POST]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=None, resource_owner_secret=None, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_callback', 'http://127.0.0.1:8000/accounts/twitter/login/callback/'), ('oauth_nonce', '107239631555922908281648822311'), ('oauth_timestamp', '1648822311'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}')]
DEBUG Normalized params: oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F&oauth_consumer_key={consuner_key}&oauth_nonce=107239631555922908281648822311&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822311&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/oauth/request_token
DEBUG Signing: signature base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252F127.0.0.1%253A8000%252Faccounts%252Ftwitter%252Flogin%252Fcallback%252F%26oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D107239631555922908281648822311%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822311%26oauth_version%3D1.0
DEBUG Signature: {signature}
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Content-Length': b'0', b'Authorization': b'OAuth oauth_nonce="107239631555922908281648822311", oauth_timestamp="1648822311", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_signature="{oauth_signature}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "POST /oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F HTTP/1.1" 200 129
[01/Apr/2022 14:11:52] "GET /accounts/twitter/login/ HTTP/1.1" 302 0
DEBUG Signing request <PreparedRequest [POST]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=dkDlygAAAAABa6NrAAABf-V328s, resource_owner_secret=****, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_verifier', '{verifier_value}'), ('oauth_nonce', '23913555268131873461648822314'), ('oauth_timestamp', '1648822314'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}'), ('oauth_token', 'dkDlygAAAAABa6NrAAABf-V328s')]
DEBUG Normalized params: oauth_consumer_key={consuner_key}&oauth_nonce=23913555268131873461648822314&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822314&oauth_token={oauth_token}&oauth_verifier={verifier_value}&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/oauth/access_token
DEBUG Signing: signature base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Faccess_token&oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D23913555268131873461648822314%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822314%26oauth_token%3DdkDlygAAAAABa6NrAAABf-V328s%26oauth_verifier%3D{verifier_value}%26oauth_version%3D1.0
DEBUG Signature: 6Lpfmoe6tKAvi5x3cYg/3Jl7rzU=
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/oauth/access_token?oauth_verifier={verifier_value}
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Content-Length': b'0', b'Authorization': b'OAuth oauth_nonce="23913555268131873461648822314", oauth_timestamp="1648822314", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_token="{oauth_token}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "POST /oauth/access_token?oauth_verifier={verifier_value} HTTP/1.1" 200 172
DEBUG Signing request <PreparedRequest [GET]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf, resource_owner_secret=****, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_nonce', '69076491240381283361648822315'), ('oauth_timestamp', '1648822315'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}'), ('oauth_token', '1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf')]
DEBUG Normalized params: oauth_consumer_key={consuner_key}&oauth_nonce=69076491240381283361648822315&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822315&oauth_token=1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/1.1/account/verify_credentials.json
DEBUG Signing: signature base string: GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Faccount%2Fverify_credentials.json&oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D69076491240381283361648822315%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822315%26oauth_token%3D1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf%26oauth_version%3D1.0
DEBUG Signature: fwWKf2KRDy3wGjJo1X6U8NHJveU=
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/1.1/account/verify_credentials.json
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Authorization': b'OAuth oauth_nonce="69076491240381283361648822315", oauth_timestamp="1648822315", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_token="{token}", oauth_signature="{
{signature}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "GET /1.1/account/verify_credentials.json HTTP/1.1" 403 270
[01/Apr/2022 14:11:58] "GET /accounts/twitter/login/callback/?oauth_token={token}&oauth_verifier={verifier_value} HTTP/1.1" 200 93
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "GET /1.1/account/verify_credentials.json HTTP/1.1" 403 270
My app has the following privilege rights in the developer portal:
- OAuth1 Endpoints
- OAuth2 Endpoints
- User Email
- Read Tweets and Profiles
Any ideas why this could be happening? Thanks in advance!
Answers:
The reason this is happening is that your developer account doesn’t have access to the v1.1 API. To do so you need to apply for the ‘Elevated’ API access level as described here: https://developer.twitter.com/en/docs/twitter-api/getting-started/about-twitter-api
I was getting the exact same error as you, and then tried it again on an older dev account I have that is grandfathered in to Elevated, and everything started working for me. (Any dev account created before Nov 2021 automatically has Elevated access.)
Update: Elevated access was approved for my account in about ten hours, so seems straightforward to get.
i am still having a different problem after going through the process of creating the headers and hashing.
i used this library that streamlines the OAuth1 and i believe the OAuth2 process, with the consumer key and secret and no need of nonce or timestamps.
they also go through some twitter API examples that helped me for another API.
posting in case this helps someone else.
I’m trying to setup the Django AllAuth Twitter login. When the user authenticates with Twitter and is redirected to my website, Django AllAuth raises the Error "No access to private resources at api.twitter.com" and I’m pretty lost here. I have the following settings in my settings.py:
SOCIALACCOUNT_PROVIDERS = {
"twitter": {
# From https://developer.twitter.com
"APP": {
"client_id": os.environ["TWITTER_API_KEY"],
"secret": os.environ["TWITTER_API_SECRET"],
}
},
}
Stack Trace:
DEBUG Signing request <PreparedRequest [POST]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=None, resource_owner_secret=None, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_callback', 'http://127.0.0.1:8000/accounts/twitter/login/callback/'), ('oauth_nonce', '107239631555922908281648822311'), ('oauth_timestamp', '1648822311'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}')]
DEBUG Normalized params: oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F&oauth_consumer_key={consuner_key}&oauth_nonce=107239631555922908281648822311&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822311&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/oauth/request_token
DEBUG Signing: signature base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252F127.0.0.1%253A8000%252Faccounts%252Ftwitter%252Flogin%252Fcallback%252F%26oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D107239631555922908281648822311%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822311%26oauth_version%3D1.0
DEBUG Signature: {signature}
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Content-Length': b'0', b'Authorization': b'OAuth oauth_nonce="107239631555922908281648822311", oauth_timestamp="1648822311", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_signature="{oauth_signature}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "POST /oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F HTTP/1.1" 200 129
[01/Apr/2022 14:11:52] "GET /accounts/twitter/login/ HTTP/1.1" 302 0
DEBUG Signing request <PreparedRequest [POST]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=dkDlygAAAAABa6NrAAABf-V328s, resource_owner_secret=****, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_verifier', '{verifier_value}'), ('oauth_nonce', '23913555268131873461648822314'), ('oauth_timestamp', '1648822314'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}'), ('oauth_token', 'dkDlygAAAAABa6NrAAABf-V328s')]
DEBUG Normalized params: oauth_consumer_key={consuner_key}&oauth_nonce=23913555268131873461648822314&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822314&oauth_token={oauth_token}&oauth_verifier={verifier_value}&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/oauth/access_token
DEBUG Signing: signature base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Faccess_token&oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D23913555268131873461648822314%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822314%26oauth_token%3DdkDlygAAAAABa6NrAAABf-V328s%26oauth_verifier%3D{verifier_value}%26oauth_version%3D1.0
DEBUG Signature: 6Lpfmoe6tKAvi5x3cYg/3Jl7rzU=
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/oauth/access_token?oauth_verifier={verifier_value}
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Content-Length': b'0', b'Authorization': b'OAuth oauth_nonce="23913555268131873461648822314", oauth_timestamp="1648822314", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_token="{oauth_token}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "POST /oauth/access_token?oauth_verifier={verifier_value} HTTP/1.1" 200 172
DEBUG Signing request <PreparedRequest [GET]> using client <Client client_key={consuner_key}, client_secret=****, resource_owner_key=1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf, resource_owner_secret=****, signature_method=HMAC-SHA1, signature_type=AUTH_HEADER, callback_uri=None, rsa_key=None, verifier=None, realm=None, encoding=utf-8, decoding=utf-8, nonce=None, timestamp=None>
DEBUG Including body in call to sign: False
DEBUG Collected params: [('oauth_nonce', '69076491240381283361648822315'), ('oauth_timestamp', '1648822315'), ('oauth_version', '1.0'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_consumer_key', '{consuner_key}'), ('oauth_token', '1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf')]
DEBUG Normalized params: oauth_consumer_key={consuner_key}&oauth_nonce=69076491240381283361648822315&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1648822315&oauth_token=1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf&oauth_version=1.0
DEBUG Normalized URI: https://api.twitter.com/1.1/account/verify_credentials.json
DEBUG Signing: signature base string: GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Faccount%2Fverify_credentials.json&oauth_consumer_key%3D{consuner_key}%26oauth_nonce%3D69076491240381283361648822315%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1648822315%26oauth_token%3D1508849183922569220-ptdyhtd6a5IEAeSWvM9iSZEYGKMzaf%26oauth_version%3D1.0
DEBUG Signature: fwWKf2KRDy3wGjJo1X6U8NHJveU=
DEBUG Encoding URI, headers and body to utf-8.
DEBUG Updated url: https://api.twitter.com/1.1/account/verify_credentials.json
DEBUG Updated headers: {b'User-Agent': b'python-requests/2.27.1', b'Accept-Encoding': b'gzip, deflate', b'Accept': b'*/*', b'Connection': b'keep-alive', b'Authorization': b'OAuth oauth_nonce="69076491240381283361648822315", oauth_timestamp="1648822315", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="{consuner_key}", oauth_token="{token}", oauth_signature="{
{signature}"'}
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "GET /1.1/account/verify_credentials.json HTTP/1.1" 403 270
[01/Apr/2022 14:11:58] "GET /accounts/twitter/login/callback/?oauth_token={token}&oauth_verifier={verifier_value} HTTP/1.1" 200 93
DEBUG Updated body: None
DEBUG Starting new HTTPS connection (1): api.twitter.com:443
DEBUG https://api.twitter.com:443 "GET /1.1/account/verify_credentials.json HTTP/1.1" 403 270
My app has the following privilege rights in the developer portal:
- OAuth1 Endpoints
- OAuth2 Endpoints
- User Email
- Read Tweets and Profiles
Any ideas why this could be happening? Thanks in advance!
The reason this is happening is that your developer account doesn’t have access to the v1.1 API. To do so you need to apply for the ‘Elevated’ API access level as described here: https://developer.twitter.com/en/docs/twitter-api/getting-started/about-twitter-api
I was getting the exact same error as you, and then tried it again on an older dev account I have that is grandfathered in to Elevated, and everything started working for me. (Any dev account created before Nov 2021 automatically has Elevated access.)
Update: Elevated access was approved for my account in about ten hours, so seems straightforward to get.
i am still having a different problem after going through the process of creating the headers and hashing.
i used this library that streamlines the OAuth1 and i believe the OAuth2 process, with the consumer key and secret and no need of nonce or timestamps.
they also go through some twitter API examples that helped me for another API.
posting in case this helps someone else.