I have implemented an OAuth 1.0a consumer using the Scribe library and I have also implemented an OAuth 2 provider using Spring Security OAuth. The class OAuth2ProtectedResourceFilter in Spring Security OAuth 2 filters all requests to my web server. If I am connecting to Twitter (or any other OAuth 1.0a provider it seems), after the user authorizes my application and Twitter redirects said user back to my application, the filter OAuth2ProtectedResourceFilter incorrectly processes it as an OAuth 2 request to a protected resource since "oauth_signature_method" is not present when an OAuth 1.0a provider callsback after the user has authorized an application.
The check takes place currently in parseHeaderToken(), but it seems that we cannot rely on just the presence of "oauth_signature_method" in the header in this case. Or am I missing something?