request_token with redirect_url containing hashkey and query parameters

TweetinviApi · 2016-03-29T17:03:03.174Z

Hello,

During the authentication flow process, Twitter appends the consumer credentials before the routing url hashkey.

Here is the oauth_callback authorization header for the request_token endpoint :

http%3A%2F%2Flocalhost%3A2398%2F%23%2Fpage%2FreturnTwitterUrl%3Fauthorization_id%3D8d486fd8-763e-4b36-a37c-de56d2de165d

(OR: http://localhost:2398/#/page/returnTwitterUrl?authorization_id?8d486fd8-763e-4b36-a37c-de56d2de165d).

But after the user enters his credentials on Twitter. Instead of being redirected to :

http://localhost:2398/#/page/returnTwitterUrl?authorization_id?8d486fd8-763e-4b36-a37c-de56d2de165d&oauth_token=IEnqqQAAAAAAS__vAAABU8MybCw&oauth_verifier=iPLlCT0EQu0UmkNZ1lD8iSNgrHs7yruS

The user is redirected to:

http://localhost:2398/?oauth_token=IEnqqQAAAAAAS__vAAABU8MybCw&oauth_verifier=iPLlCT0EQu0UmkNZ1lD8iSNgrHs7yruS#/page/returnTwitterUrl?authorization_id=09c88d2c-8d33-4726-a08f-54cc31e4858d

As you can see the oauth_token and oauth_verifier are located before the hash.

I personally think it is an expected behaviour but I have a user who raised this as a bug. Would you please let me know if this has been done on purpose, whether this is a bug, and if it is, is it going to change?

Thank you for your help.
Linvi

abraham · 2016-03-29T19:05:54.751Z

The OAuth 1 RFC specifies that oauth_token and oauth_verifier get appended to the URI query component, not the URI fragment.

The server constructs the request URI by adding the
following REQUIRED parameters to the callback URI query component

2.2. Resource Owner Authorization

TweetinviApi · 2016-03-29T19:29:16.301Z

I did not know about this specification, thank you for pointing it out.

I will inform the user about it

Have a great day.