This post is geared toward Perl implementations of OAuth, though it may shed some light on recent URI escape problems in other languages as well.
use Encode qw(encode); use URI::Escape; I previously had been escaping my parameters with a call such as: my $value = uri_escape(encode("UTF-8",$param)); The encode() call was encoding the $param as UTF-8 octets before percent encoding with uri_escape(). The use of uri_escape() above is NOT correct to meet the requirements of the OAuth spec. The following is the explanation and fix: # OAUTH spec URI encoding # ========================= # # http://oauth.net/core/1.0a#encoding_parameters # with reference to # http://tools.ietf.org/html/rfc3986#section-2.3 # # 5.1. Parameter Encoding # # All parameter names and values are escaped using the [RFC3986] # percent-encoding (%xx) mechanism. Characters not in the unreserved character # set MUST be encoded. Characters in the unreserved character # set MUST NOT be encoded. Hexadecimal characters in encodings MUST be upper case. # Text names and values MUST be encoded as UTF-8 octets before percent-encoding # them per [RFC3629] # # unreserved = ALPHA, DIGIT, '-', '.', '_', '~' # # # URI::Escape # ============= # http://search.cpan.org/~gaas/URI-1.38/URI/Escape.pm # uri_escape() by default encodes # "^A-Za-z0-9\-_.!~*'()" # # We must subtract from this the reserved characters: ! * ' ( ) # "^A-Za-z0-9\-_.~" # The correct assignment in Perl is thus: my $value = uri_escape(encode("UTF-8",$param),"^A-Za-z0-9\-_.~"); I've tested this and it fixed the problems I was having sending characters "! " "*" etc. I suspect percent encoding in other languages may need a similar implementation. - Scott @scott_carter http://www.bigtweet.com/