Recently I migrated an instance of Social Opinion to a new subscription as part of the Microsoft for Start-ups program.
There were some configuration changes but nothing out of the ordinary. The main changes being the URL and some database connection strings.
OAuth and out of the box .NET social login providers are used to perform he Twitter login but after the migration was complete, I found the login was broken and an http status code of 403 was being returned (Forbidden).
The application API keys and tokens weren’t changed meaning it couldn’t be those. The production instance was still operational using these keys and tokens, but this new dev instance still wouldn’t work.
When authenticating with the Twitter API and OAuth, you need to specify one or more call-back URLs for Twitter to redirect to. These are set in the development console at developer.twitter.com for your respective Twitter Application.
I checked these and there mirrored the new web app URL instances for the new Azure subscription.
None of this was making any sense so I decided to do a remote debug of the new dev instance from Visual Studio. As I connected to the new App Service in Azure, I hit the authentication code and sure enough, I received the 403 error but unfortunately the out-of-the box social providers didn’t give me detailed error information and explain why this error was being thrown.
Monitoring Requests Using Fiddler
By this point, given the production instance was still ok but this new dev instance was faulty, I fired up Fiddler and monitored the requests and traced the path of a successful login in the production instance.
By doing this, I could see the low-level http calls and the web application was hitting the following endpoints at the Twitter side:
After successful authentication, the production instance eventually redirects customers to their analytics landing page. This wasn’t happening for the new dev instance.
Azure Application Insights
Application Insights is useful and contained more details. Digging into the failures instance shows a further request is made to oauth/request_token: