Using $oauthRequest = OAuthRequest::from_request($method, $url, $params);

in line 91 of osapiOAuth2Legged.php can lead to incorrect signatures. To reproduce you have to secure the page making the request to the OpenSocial API through two legged OAuth with OAuth as well, which is a behaviour used in some OpenSocial Apps (through gadgets.io.makeRequest).

To fix change this line to:

$oauthRequest = new OAuthRequest($method, $url, $params);

I'm running into this issue in a different situation, or I just didn't understand the description above ;)

Whenever the PHP script that has some (GET) parameters to it, makes an OpenSocial call the parameters to this page are actually added to the signature as well... which breaks as the server doesn't consider the same parameters to be part of the signature I guess...

The fix above also works for me. Not sure if this is a "clean" fix...

(Attached fix above as patch against trunk)