Yeah it should include all GET parameters in the signature calculations. Otherwise a man in the middle could modify the query and access the protected data they want.
On Tue, May 12, 2009 at 12:55 PM, Dmitriy Vyukov <dvyu...@gmail.com> wrote: > > Hi! > > I do following request: > > http://twitter.com/statuses/friends_timeline.xml?since_id=1773396714&count=20 > > When I include GET parameters (since_id, count) into OAuth signature > calculation I am getting HTTP 401 error. However when I do NOT include > GET parameters into OAuth signature calculation request succeeds. > > So I guess, you are just excluding GET parameters from OAuth signature > calculation on your side. AFAIS, this is against OAuth spec. > > Is there any plans for fixing this? As on option you may support both > variants for some time to not break old clients instantly. > Or I am just missing something? > > Thank you. > > -- > Best regards, > Dmitriy V'jukov >