Why can't I specify a callback for request_token?


#1

I find that when doing a request_token I cannot specify the callback. If I specify the callback the request fails, if I don’t specify the callback the request succeeds but then I get only the fixed callback I put on my application settings page and that is not good enough to distinguish the user for whom the callback is being done.

Here’s a demonstration using curl. You probably can’t run the curl commands yourself when you read this as the server time will have advanced.

Here is success if I don’t include the callback:

% curl -X POST -H ‘Authorization: OAuth oauth_signature=“jNRJhIaWtQYTgoYzY1J3Ilc1KO8%3D”,oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,oauth_signature_method=“HMAC-SHA1”,oauth_version=“1.0”,oauth_nonce=“ad6aec4f4e34d520”,oauth_timestamp=“1370448022”’ https://api.twitter.com/oauth/request_token

oauth_token=GMjKRr3av18pXGxxBz6pENWxvcjWDlzmVY936PRUA&oauth_token_secret=jvgJZ7MUspttKjcTsfjoKpTv5pMJPMIEs2S0r6wCI&oauth_callback_confirmed=true

Here is failure if I include the callback

% curl -X POST -H ‘Authorization: OAuth oauth_signature="%2FUV5nCCgrRweEaHcULsH6Q%3D%3D",oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,oauth_signature_method=“HMAC-SHA1”,oauth_version=“1.0”,oauth_nonce=“d9caf0de1e346c9f”,oauth_timestamp=“1370448022”,oauth_callback=“http%3A%2F%2Fwww.franz.com%2Foauth-response”’ https://api.twitter.com/oauth/request_token

Failed to validate oauth signature and token

I’ve further found that I can include a single word as callback, e.g. “foo” but then the callback is done to a twitter.com address with “foo” appended.


#2

It looks like the forum software truncated long lines that it couldn’t split… So here are the commands and responses again, this time I’ve broken the lines to make them easier to read:

% curl -X POST -H 'Authorization: OAuth oauth_signature=“jNRJhIaWtQYTgoYzY1J3Ilc1KO8%3D”,
oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,
oauth_signature_method=“HMAC-SHA1”,
oauth_version=“1.0”,
oauth_nonce=“ad6aec4f4e34d520”,
oauth_timestamp=“1370448022”'
https://api.twitter.com/oauth/request_token

oauth_token=GMjKRr3av18pXGxxBz6pENWxvcjWDlzmVY936PRUA&
oauth_token_secret=jvgJZ7MUspttKjcTsfjoKpTv5pMJPMIEs2S0r6wCI&
oauth_callback_confirmed=true

% curl -X POST -H 'Authorization: OAuth oauth_signature="%2FUV5nCCgrRweEaHcULsH6Q%3D%3D",
oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,
oauth_signature_method=“HMAC-SHA1”,
oauth_version=“1.0”,
oauth_nonce=“d9caf0de1e346c9f”,
oauth_timestamp=“1370448022”,
oauth_callback=“http%3A%2F%2Fwww.franz.com%2Foauth-response”'
https://api.twitter.com/oauth/request_token

Failed to validate oauth signature and token


#3

I withdraw this question. The problem was that I was double encoding the callback url thus the signature was wrong.