The standard says that, when redirecting back to the app, the service provider should append the oauth_token and oauth_verifier parameters to any existing parameters in the callback url (section 6.2.3, http://oauth.net/core/1.0a/#auth_step2):

The callback URL MAY include Consumer provided query parameters. The Service Provider MUST retain them unmodified and append the OAuth parameters to the existing query.

The submit function for the authorize form does not apply consumer provided query parameters as it is now.
http://cgit.drupalcode.org/oauth/tree/oauth_common.pages.inc

Comments

timbrandin’s picture

timbrandin CreditAttribution: timbrandin commented
Status: Active » Closed (duplicate)

#2350645: Correct OAuth 1.0a standard: Add missing callback url tracking.