Hi Twitter Api Team!
Recently i’ve started getting reports that i’ve tracked down to a change that started breaking the escaping of
oauth_callback values used during twitter OAuth (I don’t have a specific timeframe, but the earliest reports of this issue i have are from March 11th).
Previously when authorizing with twitter using the web flow the oauth_callback could successfully include properly escaped
& values. After authorization it’s expected for the browser to be redirected using the original
oauth_callback, however some values in the
oauth_callback are incorrectly unescaped.
oauth_callback that contains url parameters that have properly escaped
For example, a callback url with a url parameter that has
%3F%26 in it.
The fully constructed authorization request looks like this
After authorization the twitter should redirect the browser to the original callback_url
but instead it’s redirected to the following url which is not equivalent to the original. (note that parameter parsing will be broken because of the excessive unescaping). Twitter should not apply multiple levels of unescaping to reserved url characters (’?’, ‘&’, ‘=’, ‘/’, ‘%’, etc).
Is anyone else seeing this issue?