I am working with imgur's API and need to set up oAuth authentication. It's going pretty smoothly but I ran into a snag...
I couldn't get the oAuth request_token endpoint to give me a success message, so I contacted the imgur devs and they gave me a critical piece of information. However, I could not find where this information comes from.
The information I am talking about is my oAuth signature. I knew the oAuth signature is just my api_secret, but in the working code provided by the imgur dev there was an ampersand tagged on the end.
This ampersand was URL-encoded, twice. It went from & to %26, then to %2526
API Secret => 7fc6ff69*snip*c4016e7f99e076 // This does not work by itself
[oauth_signature] => 7fc6ff69*snip*c4016e7f99e076%2526 // Works
[oauth_signature] => 7fc6ff69*snip*c4016e7f99e076& // This also works
Why is an ampersand required? Is this a bug, or is it actually mentioned somewhere in the oAuth 1.0 documentation? Is it always an ampersand, or is that just a strange coincidence? I have no idea where it came from...
EDIT: It's worth mentioning that the oauth_signature is the last variable in the request, so it should not be merging with another variable. Basically, The end of the URL must end with an ampersand (or html-encoded version of one).
For protected OAuth requests, the signature is typically generated by using a pair of secrets (often a shared secret and an authorized token secret). As you've probably guessed, an ampersand ("&") is used to separate the two secrets. However, when a single secret is used as the signature (as with imgur) the ampersand is still required, but because there is no second secrete to separate, the ampersand appears at the end of string. Another way to think of it is the ampersand is separating the api_secret and an empty secret.