Using the latest source in TRUNK.

When accessing a protected resource the library sends the oauth_token_secret in the URI, or in the case of header based authentication its sends it in the header.

oauth_token_secret should not be included in any requests to the provider [1], this data is sensitive, and in the case of desktop applications where the consumer secret is not secure it would allow an attacker to obtain access to protected resources.

--- OAuth HTTP Request with the library --- GET /statuses/friends_timeline.xml?count=50&since_id=1 HTTP/1.1 Authorization: OAuth oauth_token="10471832-XMtqq0fl5bpFI5aiJjeopon4QpL9jcwRBwspyf...",oauth_token_secret="vAwMlDtkbtkjxjtZhz8x3ngw4Vk3ZmvpHDAhVuMw",oauth_nonce="ac4cdbe3-98db-4017-a9b3-e62ceb5eaf17",oauth_consumer_key="OxuuZnHZuTr6ZxjrL3yzQ",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1237476772",oauth_version="1.0",oauth_signature="j29o0oSQhwW5yel7Vb9L7AeI8ks%3D" Host: twitter.com Connection: Keep-Alive --- End of Request ---

I worked around this by editing line 235 and line 291 of OAuthContext.cs to exclude Parameters.OAuth_Token_Secret: AuthorizationHeaderParameters.ToQueryParameters().Where(q => q.Key != Parameters.Realm && q.Key != Parameters.OAuth_Token_Secret)

1. http://oauth.net/core/1.0/#anchor13

This is a MAJOR flaw if this is valid. Are there truly no good or even working .Net implementation of OAuth?

This issue was resolved a while ago, though the use of the method call: AuthorizationHeaderParameters.ToQueryParametersExcludingTokenSecret();