Description
I recently worked with an OAuth server that required a POST oauth_token parameter unrelated to the OAuth access token, in addition to the access token.
Currently, oauth2 has no way of properly dealing with this situation. There are actually a few problems: the OAuth oauth_token and the POST oauth_token must both be included in the hash (and thus carried through the Request object), the resulting authentication headers can only appear in the Authorization: header (and not in the POST body), and the POST body must still contain the original oauth_token after all this processing is done.
I worked around it with a gross hack (that only works for oauth_token), but I think that this needs to be fixed in general.
Might I suggest simply decoupling the oauth_ variables from GET and POST variables? They are intended to be separate sources of variables, anyway. In this envisioned redesign, Request might no longer extend dict, but instead just have three separate dicts for the OAuth variables, the GET variables (just stored in the URL) and POST variables (just stored as-is). Alternately, you could just have the POST variables never enter the Request dictionary, but instead live in a separate variable.