I just filled an issue on github...

The text is below...

Hi,
I'm using cl-oauth to authenticate with twitter (it's in the cl-twitter package, also on github).

I received a complaint from a quicklisp user that he couldn't authenticate with twitter.

After looking into this a bit I realized that drakma is encoding the uri on get requests. Now, cl-oauth passes in an encoded uri so this uri gets encoded twice. This was never a problem for me because I was using v 1.2.3 of drakma where this didn't happen.

Here's the code diff (plus my proposed change :)
========================== v 1.2.3 ==================================
(when (and (not parameters-used-p)
parameters)
(setf (uri-query uri)
;; append parameters to existing query of URI
(format nil "~@[~A~]~:*~:[~;&~]~A"
(uri-query uri)
(alist-to-url-encoded-string parameters external-format-out))))

===========================current github/v1.2.4=============
(when-let (all-get-parameters
(append (dissect-query (uri-query uri))
(and (not parameters-used-p) parameters)))
(setf (uri-query uri)
(alist-to-url-encoded-string all-get-parameters external-format-out)))
===============================my proposed change===================================================
(when (and (not parameters-used-p)
parameters)
(when-let (all-get-parameters
(append (dissect-query (uri-query uri))
(and (not parameters-used-p) parameters)))
(setf (uri-query uri)
(alist-to-url-encoded-string all-get-parameters external-format-out))))

A few more comments :

This is the hand-off in cl-oauth :

(defun http-request (uri &key (request-method :get) parameters drakma-args)
  ;; TODO handle redirects properly
  (let* ((param-string-encoded (alist->query-string parameters :include-leading-ampersand nil :url-encode t)))
    (case request-method
      (:get 
       (apply #'drakma:http-request 
      (uri-with-additional-query-part uri param-string-encoded)
      :method request-method
      drakma-args))
      (:post
        (apply #'drakma:http-request
               uri
               :method request-method
               :content param-string-encoded
               drakma-args))

As you can see url-encode is set to t. That was because (I think !) previous versions required encoding and drakma wasn't providing any. Now, ideally tis flag s/b nil. However the issue the becomes the string splitting in dissect-query. This splits on "=" which is also the terminating symbol for the authentication string...
=======================session===================
(drakma::split-string "oauth_signature=oq37d1/qm[....]fIKb778=&include_entities=T&oauth_consumer_key=9[....]cYBg&oauth_token=206[...]Tt5SwRvCJqQWgR3ajEQpk&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1325002586&oauth_nonce=3680613621135035286&oauth_version=1.0" "&")
("oauth_signature=oq37d1/qmFX0YuQUwxsgfIKb778=" "include_entities=T"
[....])

CL-USER> (drakma::split-string "oauth_signature=oq37d1/qmFX0YuQUwxsgfIKb778=" "=")
; compiling (DEFUN HTTP-REQUEST ...)
STYLE-WARNING: redefining DRAKMA:HTTP-REQUEST in DEFUN

("oauth_signature" "oq37d1/qm[...]778")

(I've elided some of the strings...).

I think my proposal resolves the issue. However, it would require a bit more work to get to what I think is the 'right' solution...

At this stage I'd like to get some feedback on whta you consider the right course of action before proceeding to submit a patch