[GH-ISSUE #492] OAuth1 Authorize encoding issue

Originally created by @smoroden on GitHub (Sep 14, 2018). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/492 Originally assigned to: @phimage on GitHub. ### Description: I am trying to get OAuth1 integrated to a third party but there is an issue where the oauth_token is rejected during the Authorize call whenever it has a `+` in it. eg. `GET /OAuth/Authorize?viewmode=mobile&oauth_token=SyiIELHYmK2czfntI7hy+Gs7aqU=&fromSignIn=true HTTP/1.1` Looking at the [RFC](https://tools.ietf.org/html/rfc5849#page-28) it says that ``` 2. The values are then escaped using the [RFC3986] percent-encoding (%XX) mechanism as follows: * Characters in the unreserved character set as defined by [RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST NOT be encoded. * All other characters MUST be encoded. * The two hexadecimal characters used to represent encoded characters MUST be uppercase. ``` OAuth1Swift.swift:99 shows how we encode when creating the Authorize url: ```swift // 2. Authorize if let token = credential.oauthToken.urlQueryEncoded { ... ``` `urlQueryEncoded` uses `CharacterSet.urlQueryAllowed` which does not encode `+` characters. It seems to me that it should instead be using the `urlEncoded` seen in String+OAuthSwift.swift:19 in order to comply with the RFC specifications. I have tested doing just that and the Authorize calls work great all of the time. I haven't run into this issue before for numerous OAuth integrations so I am also wondering if it is just something different with the third-parties implementation? ### OAuth Provider? (Twitter, Github, ..): Private third party ### OAuth Version: - [x] Version 1 - [ ] Version 2 ### OS (Please fill the version) : - [x] iOS : - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [x] Carthage - [ ] CocoaPods - [ ] Manually ### Library version: - [ ] head - [ ] v1.2.1 - [ ] v1.2 (Swift 4.0) - [ ] v1.0.0 - [ ] v0.6 - [x] other: 1.1.1 ### Xcode version: - [x] 9.3 (Swift 4.1) - [ ] 9.0 (Swift 4.0) - [ ] 9.0 (Swift 3.2) - [ ] 8.x (Swift 3.x) - [ ] 8.0 (Swift 2.3) - [ ] 7.3.1 - [ ] other: (Please fill in the version you are using.) - [ ] objective c

kerem commented

2026-03-03 16:47:41 +03:00

Owner

Originally created by @smoroden on GitHub (Sep 14, 2018).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/492

Originally assigned to: @phimage on GitHub.

Description:

I am trying to get OAuth1 integrated to a third party but there is an issue where the oauth_token is rejected during the Authorize call whenever it has a + in it. eg. GET /OAuth/Authorize?viewmode=mobile&oauth_token=SyiIELHYmK2czfntI7hy+Gs7aqU=&fromSignIn=true HTTP/1.1

Looking at the RFC it says that

 2.  The values are then escaped using the [RFC3986] percent-encoding
       (%XX) mechanism as follows:

       *  Characters in the unreserved character set as defined by
          [RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST
          NOT be encoded.

       *  All other characters MUST be encoded.

       *  The two hexadecimal characters used to represent encoded
          characters MUST be uppercase.

OAuth1Swift.swift:99 shows how we encode when creating the Authorize url:

// 2. Authorize
if let token = credential.oauthToken.urlQueryEncoded {
...

urlQueryEncoded uses CharacterSet.urlQueryAllowed which does not encode + characters.

It seems to me that it should instead be using the urlEncoded seen in String+OAuthSwift.swift:19 in order to comply with the RFC specifications.

I have tested doing just that and the Authorize calls work great all of the time.

I haven't run into this issue before for numerous OAuth integrations so I am also wondering if it is just something different with the third-parties implementation?

OAuth Provider? (Twitter, Github, ..):

Private third party

OAuth Version:

Version 1
Version 2

OS (Please fill the version) :

iOS :
OSX :
TVOS :
WatchOS :

Installation method:

Carthage
CocoaPods
Manually

Library version:

head
v1.2.1
v1.2 (Swift 4.0)
v1.0.0
v0.6
other: 1.1.1

Xcode version:

9.3 (Swift 4.1)
9.0 (Swift 4.0)
9.0 (Swift 3.2)
8.x (Swift 3.x)
8.0 (Swift 2.3)
7.3.1
other: (Please fill in the version you are using.)
objective c

kerem

closed this issue
added the
bug
label

2026-03-03 16:47:42 +03:00

Author

@phimage commented on GitHub (Sep 17, 2018):

Thanks you for the detailed report

I think you are right regarding of the RFC.
I want to fix that, but I must test with some server (and difficult to know if they provide sometime token with this characters, so a banal unit test will never really test that)

...Sometimes server and client make mistake, that's why there is some configuration boolean in OAuthSwift to be compatible with some server.

@phimage commented on GitHub (Sep 17, 2018): Thanks you for the detailed report I think you are right regarding of the RFC. I want to fix that, but I must test with some server (and difficult to know if they provide sometime token with this characters, so a banal unit test will never really test that) ...Sometimes server and client make mistake, that's why there is some configuration boolean in OAuthSwift to be compatible with some server.

@phimage commented on GitHub (Jun 10, 2019):

I make an option on OAuthSwift1, useRFC3986ToEncodeToken to set to true to use urlEncoded
If It could help someone with one server

@phimage commented on GitHub (Jun 10, 2019): I make an option on `OAuthSwift1`, `useRFC3986ToEncodeToken` to set to true to use `urlEncoded` If It could help someone with one server

Rows
Columns

[GH-ISSUE #492] OAuth1 Authorize encoding issue #324