I wrote a simple oauth provider and consumer using the pecl oauth package. Everything goes well until I attempt to get an access token, at which point I get a signature mismatch error. The oauth consumer attempts to contact the provider using the oauth->getauthorizedtoken in the following way:
$res = mysql_query("SELECT * FROM request_tokens WHERE oauth_token = '".mysql_real_escape_string($token)."'");
$requestToken = mysql_fetch_assoc($res);
$oauth->setToken($token, $requestToken['oauth_token_secret']);
$authToken = $oauth->getAccessToken("http://dev.myserver.com/~testbranch/?m=oauthMod&act=authorize", NULL, $verifier);
When this fails it spits out debug info with a signature like:
3qBMmue4Q+j8Dm4/9VSTl6y0TR8=
On the provider side, the consumer and token are verified and then it fails with a signature mismatch even though the signature it calculates is:
3qBMmue4Q%2Bj8Dm4%2F9VSTl6y0TR8%3D
Which is obviously an url escaped version of the exact same signature. Is this a bug or am I blatantly missing something?
As noted in my question, the two signatures are identical with the exception that one is the url encoded. This is not part of the specification and is not documented, but there it is. My final solution checks both for signature matches and url encoded signature matches. This is not ideal, as there are chances for false matches, but there is little I can do without rewriting the entire algorithm from scratch.