request_token with redirect_url containing hashkey and query parameters

rest
auth

#1

Hello,

During the authentication flow process, Twitter appends the consumer credentials before the routing url hashkey.

Here is the oauth_callback authorization header for the request_token endpoint :

http%3A%2F%2Flocalhost%3A2398%2F%23%2Fpage%2FreturnTwitterUrl%3Fauthorization_id%3D8d486fd8-763e-4b36-a37c-de56d2de165d

(OR: http://localhost:2398/#/page/returnTwitterUrl?authorization_id?8d486fd8-763e-4b36-a37c-de56d2de165d).

But after the user enters his credentials on Twitter. Instead of being redirected to :

http://localhost:2398/#/page/returnTwitterUrl?authorization_id?8d486fd8-763e-4b36-a37c-de56d2de165d&oauth_token=IEnqqQAAAAAAS__vAAABU8MybCw&oauth_verifier=iPLlCT0EQu0UmkNZ1lD8iSNgrHs7yruS

The user is redirected to:

http://localhost:2398/?oauth_token=IEnqqQAAAAAAS__vAAABU8MybCw&oauth_verifier=iPLlCT0EQu0UmkNZ1lD8iSNgrHs7yruS#/page/returnTwitterUrl?authorization_id=09c88d2c-8d33-4726-a08f-54cc31e4858d

As you can see the oauth_token and oauth_verifier are located before the hash.

I personally think it is an expected behaviour but I have a user who raised this as a bug. Would you please let me know if this has been done on purpose, whether this is a bug, and if it is, is it going to change?

Thank you for your help.
Linvi


#2

The OAuth 1 RFC specifies that oauth_token and oauth_verifier get appended to the URI query component, not the URI fragment.

The server constructs the request URI by adding the
following REQUIRED parameters to the callback URI query component


#3

I did not know about this specification, thank you for pointing it out.

I will inform the user about it :slight_smile:

Have a great day.