When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).

Comments

christianchristensen’s picture

Here is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...

marksward’s picture

Version:6.x-3.0-beta4» 7.x-3.x-dev

This also affects the 7.x-3.x version