I find that when doing a request_token I cannot specify the callback. If I specify the callback the request fails, if I don’t specify the callback the request succeeds but then I get only the fixed callback I put on my application settings page and that is not good enough to distinguish the user for whom the callback is being done.
Here’s a demonstration using curl. You probably can’t run the curl commands yourself when you read this as the server time will have advanced.
Here is success if I don’t include the callback:
% curl -X POST -H ‘Authorization: OAuth oauth_signature=“jNRJhIaWtQYTgoYzY1J3Ilc1KO8%3D”,oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,oauth_signature_method=“HMAC-SHA1”,oauth_version=“1.0”,oauth_nonce=“ad6aec4f4e34d520”,oauth_timestamp=“1370448022”’ https://api.twitter.com/oauth/request_token
oauth_token=GMjKRr3av18pXGxxBz6pENWxvcjWDlzmVY936PRUA&oauth_token_secret=jvgJZ7MUspttKjcTsfjoKpTv5pMJPMIEs2S0r6wCI&oauth_callback_confirmed=true
Here is failure if I include the callback
% curl -X POST -H ‘Authorization: OAuth oauth_signature="%2FUV5nCCgrRweEaHcULsH6Q%3D%3D",oauth_consumer_key=“znxxQ62l8aFNkKVEBIksiw”,oauth_signature_method=“HMAC-SHA1”,oauth_version=“1.0”,oauth_nonce=“d9caf0de1e346c9f”,oauth_timestamp=“1370448022”,oauth_callback=“http%3A%2F%2Fwww.franz.com%2Foauth-response”’ https://api.twitter.com/oauth/request_token
Failed to validate oauth signature and token
I’ve further found that I can include a single word as callback, e.g. “foo” but then the callback is done to a twitter.com address with “foo” appended.
