When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).

Comments

Here is an initial patch to basically return a nonce for the oauth_verifier parameter; ideally this needs more work though to ensure the validity of the verifier when calling back for an access token. I am thinking this could be stored with an expires and maybe in the nonce table...

Version:6.x-3.0-beta4» 7.x-3.x-dev

This also affects the 7.x-3.x version