twitter oauth_verifier not mandatory?

Based on the question I asked here, but I wanted to get feedback from the stackoverflow community on this.

It seems from my tests using the twitter API with oauth that oauth_verifier check that should be done by the service provider (twitter) in step E of http://oauth.net/core/diagram.png is not being done by api.twitter.com; this happens whether the oauth_callback is oob or a regular callback url.

To test this on twitter is simple: just don't send the oauth_verifier parameter as part of step F for acquiring an access token.

This issue should be easy to reproduce, but if necessary I can post my test code.

The oauth_verifier was part of the solution to the session fixation threat, and was only introduced in the oauth 1.0a specification. Because of this twitter API may still not be forcing application developers to use it to avoid breaking backwards compatibility.

• Is this correct? Or am I misinterpr开发者_开发百科eting the oauth specification?
• Does this also happen with other APIs that should be compliant with oauth1.0a? (LinkedIn etc..)

ps - This question is somewhat related but the issue no longer applies because twitter is returning the oauth_verifier for both types of callbacks (oob and regular callbacks).

---

I got a reply from the official twitter discussions:

Currently the API supports both the OAuth 1.0 and OAuth 1.0a authorization flows. We strongly encourage developers not using OAuth 1.0a to update their code as soon as possible.