I am using an URL like the following:
https://www.google.com/accounts/OAuthAuthorizeToken?
oauth_token=ab3cd9j4ks73hf7g&oauth_callback=http%3A%2F%2Fwww.example.com
This gets redirected to:
http://www.youtube.com/oauth_authorize_token?oauth_callback=http%3A%2F%2Fwww.google.com&oauth_token=1%2FyT-RZ-5PAMCp43Wt0RAGpNUAbMKAHxq1MG_RiX3Cmtk
After the user clicks allow access, YouTube directs the page to:
http://www.youtube.com/t/oauth_token_authorized
Why is the callback not working?
Their API seems to agree with what I am doing.
In sum, you’re specifying the oauth_callback too late in the process. Instead, provide it at the very beginning. For Google’s provider, that’s when you’re calling OAuthGetRequestToken.
This Google documentation seems to get it right. Strange. I also found other documentation that explains the same thing: “The [Service Provider] MUST associate the callback URL sent in Step 1 with the request token it issues.” So, you have to provide the callback URL when getting the “unauthorized” request token (“unauthorized” because the user hasn’t given their permission yet). After you’ve done this, you can forward the user to the Authorization URL, where the user (aka resource owner) grants access explicitly for your application.
Here’s a page that gives related information about OAuth 2.0.