Based on the question I asked here, but I wanted to get feedback from the stackoverflow community on this.

It seems from my tests using the twitter API with oauth that oauth_verifier check that should be done by the service provider (twitter) in step E of http://oauth.net/core/diagram.png is not being done by api.twitter.com; this happens whether the oauth_callback is oob or a regular callback url.

To test this on twitter is simple: just don’t send the oauth_verifier parameter as part of step F for acquiring an access token.

This issue should be easy to reproduce, but if necessary I can post my test code.

The oauth_verifier was part of the solution to the session fixation threat, and was only introduced in the oauth 1.0a specification. Because of this twitter API may still not be forcing application developers to use it to avoid breaking backwards compatibility.

• Is this correct? Or am I misinterpreting the oauth specification?
• Does this also happen with other APIs that should be compliant with oauth1.0a? (LinkedIn etc..)

ps – This question is somewhat related but the issue no longer applies because twitter is returning the oauth_verifier for both types of callbacks (oob and regular callbacks).