In the OAuth signature basestring, the oauth_callback value looks like this:
“POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Fin2touchsa.spawtz.com%252FSpawtzApp%252FConfigSettings%252FTwitterCallback.aspx%253FAssociationLevelId%253D4%2526AssociatedItemId%253D47%26oauth_consumer_key%3DaLEw8cAs35ucJcdJSJMRw%26oauth_nonce%3D37ab56cc-2eb9-4e85-a20c-acf51edfc774%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1380725820%26oauth_version%3D1.0”
I’ve added spaces between the values in the authorization header now, so it now looks like:
“OAuth realm=“Twitter API”, oauth_callback=“http%3A%2F%2Fin2touchsa.spawtz.com%2FSpawtzApp%2FConfigSettings%2FTwitterCallback.aspx%3FAssociationLevelId%3D4%26AssociatedItemId%3D47”, oauth_consumer_key=“REDACTED”, oauth_nonce=“b3296e09-b5a7-4774-80a9-a62041e7cc5e”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1380726231”, oauth_version=“1.0”, oauth_signature=“REDACTED””
That didn’t make any difference.
When you ask if I’m sending oauth_callback as a query parameter as well as part of the auth header, do you mean in the URL that I am posting to on Twitter? If so, then no, I’m posting to “https://api.twitter.com/oauth/request_token”, with no querystring parameters.
What’s so weird though is that if I do it with almost any other value as the subdomain value in the callback url it works fine. And it had been working fine for years now, only stopped working on the 21st of September (or rather, that’s the most recent time someone from that organisation has tried to authorise a twitter account on their site). Strange.
