It seems from my tests that oauth_verifier check that should be done by the service provider during in step E of http://oauth.net/core/diagram.png is not being done by api.twitter.com; this happens whether the oauth_callback is oob or a regular callback url.
The test is simple: just don’t send the oauth_verifier parameter as part of step F for acquiring an access token.
This issue should be easy to reproduce, but i§f necessary I can post my test code.
The oauth_verifier was part of the solution to the session fixation threat, and was only introduced in the oauth 1.0a specification. Because of this twitter may still not be forcing application developers to use it to avoid breaking backwards compatibility.
Is this correct? Or am I misinterpreting the oauth specification?
Is the twitter team aware of this?
When will twitter API start to force using the oauth_verifier?
Thanks in advance.