callback uri getting double encoded?

[alanhartless]

I'm not for sure which library is at fault as I'm not sure what the specification is :-)

I'm trying to use the PHP version as a client and https://github.com/willdurand/BazingaOAuthServerBundle as the server. The problem I'm running into is the server is rejecting the client's call to request token because of an invalid signature. What I found is that this library is double encoding oauth_callback when included as a parameter.

So what the server expects as http%3A%2F%2F, it is receiving http%253A%252F%252F

In the php version, it is encoding the parameters in _normalizedParameters() then again when generating the sbs in _generateSignature(). The server creates the normalizedParameters without encoding then encodes the entire base string so that parameters are not double encoded.

Which is in the wrong? :-)

Thanks!
Alan

[alanhartless]

Just as a FYI, I fixed to be compatible with the server by remove the _oauthEscape calls in _normalizedParameters() so that it's only encoded once via _generateSignature().

[jrconlin]

Huh, weird. I'm surprised that more end points haven't complained about that. It could well be that there are more than a few broken OAuth server libs out there, too.

Parameters should be normalized just once, so there's definitely a bug, thanks! If you want to submit a PR, go ahead, or I'll just update the various versions.