I have read all of that, as well as all of “Using OAuth 1.0a”. Also, just to be clear I am currently sending the OAuth string as a header.
I assumed that since the method of “account/verify_credentials” was GET, that any non-oauth parameters would be sent via the query-string. Also, it makes sense to me that every parameter sent should be encoded into the OAuth signature so that the server can check for tampering/data loss, but at the same time it seems strange that non-oauth parameters should be included in the authentication request.
That being said, here is what I tried so far.
- Sending the OAuth header alone - this works.
- Sending the OAuth header exactly the same as 1. but adding a query string of “skip-status=true” - this fails.
- Adding “skip-status=true” as a parameter to the OAuth header (thus it is being computed in the OAuth signature) - this fails.
The only thing I can think to do now is to send the skip-status parameter in the query-string, and also include it in the computation of the OAuth signature. I’d rather know if this would work before I try it though, as it will require that I rewrite/add some additional code.