request_token with redirect_url containing hashkey and query parameters




During the authentication flow process, Twitter appends the consumer credentials before the routing url hashkey.

Here is the oauth_callback authorization header for the request_token endpoint :


(OR: http://localhost:2398/#/page/returnTwitterUrl?authorization_id?8d486fd8-763e-4b36-a37c-de56d2de165d).

But after the user enters his credentials on Twitter. Instead of being redirected to :


The user is redirected to:


As you can see the oauth_token and oauth_verifier are located before the hash.

I personally think it is an expected behaviour but I have a user who raised this as a bug. Would you please let me know if this has been done on purpose, whether this is a bug, and if it is, is it going to change?

Thank you for your help.


The OAuth 1 RFC specifies that oauth_token and oauth_verifier get appended to the URI query component, not the URI fragment.

The server constructs the request URI by adding the
following REQUIRED parameters to the callback URI query component


I did not know about this specification, thank you for pointing it out.

I will inform the user about it :slight_smile:

Have a great day.