Twitter oauth_signature needs urlencode (percent hex encode) ran twice on callback url in signature base

Question

I am writing a PHP script to let users use Twitter to sign in to an app using OAuth 1.0a.

I am having an issue with the request_token API.

The oauth_signature parameter requires an HMAC-SHA1 hash ran on a signing base which has parameters such as request_token URL and my callback URL.

The callback URL

https://example.com/callback.php

is percent escaped to

https%3A%2F%2Fexample.com%2Fcallback.php

but the request_token call fails unless I percent escape the URL again

https%253A%252F%252Fexample.com%252Fcallback.php

In order for request_token API to work I have to escape the '%' to '%25'.

The request_token URL in the same signing base does not have to escape the percents.

https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token

works OK.

Does Twitter require that the callback URL in the signing base string be percent escaped twice?

Answer 1

On Twitter Authentication docuument page It shows a parameter string with URL encoded once

include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1318622958&oauth_token=370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B%20Gentlemen%2C%20a%20signed%20OAuth%20request%21

and then shows a signature base string with a parameter percent-encoded twice.

POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&include_entities%3Dtrue%26oauth_consumer_key%3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce%3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1318622958%26oauth_token%3D370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version%3D1.0%26status%3DHello%2520Ladies%2520%252B%2520Gentlemen%252C%2520a%2520signed%2520OAuth%2520request%2521

So my callback URL, which is a part of the parameter string has its '%' changed to '%25'.