Quick update, hoping anyone who knows this stuff will turn out some day.
I've re-run a test without SSL - trovebox hosted over plain HTTP. This is the php error log when I create a "request" token (see first scenario in my post above):
2014/10/02 16:24:09 [error] 24868#0: *39257 FastCGI sent in stderr: "PHP message: {severity:crit, description:"oauth_problem=parameter_absent&oauth_parameters_absent=oauth_signature%26oauth_signature_method%26oauth_nonce%26oauth_timestamp", additional:}" while reading response header from upstream, client: 1.2.3.4, server: gallery.my.domain, request: "GET /v1/oauth/authorize?oauth_consumer_key=9d27821f3d14d6579e8ba8bc0e0cc3&oauth_consumer_secret=e3c6067867&oauth_token=6e6cdab47358c1c83687f54570d024&oauth_token_secret=4f24e1918d&oauth_verifier=362dda917e HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "gallery.my.domain", referrer: "
http://gallery.my.domain/v1/oauth/authorize?mobile=1"
2014/10/02 16:24:10 [error] 24861#0: *39279 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined index: oauth_consumer_key in /srv/www/gallery.my.domain/src/libraries/models/Credential.php on line 34
PHP message: PHP Notice: Undefined index: oauth_consumer_key in /srv/www/gallery.my.domain/src/libraries/models/Credential.php on line 34
PHP message: PHP Notice: Undefined index: oauth_consumer_key in /srv/www/gallery.my.domain/src/libraries/models/Credential.php on line 34
PHP message: {severity:crit, description:"oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key%26oauth_signature%26oauth_signature_method%26oauth_nonce%26oauth_timestamp", additional:}" while reading response header from upstream, client: 1.2.3.4, server: gallery.my.domain, request: "GET /user/login?r=/v1/oauth/authorize?oauth_consumer_key=9d27821f3d14d6579e8ba8bc0e0cc3&oauth_consumer_secret=e3c6067867&oauth_token=6e6cdab47358c1c83687f54570d024&oauth_token_secret=4f24e1918d&oauth_verifier=362dda917e HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "gallery.my.domain", referrer: "
http://gallery.my.domain/v1/oauth/authorize?mobile=1"
2014/10/02 16:24:10 [error] 24861#0: *39279 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined index: oauth_consumer_key in /srv/www/gallery.my.domain/src/libraries/models/Credential.php on line 34" while reading upstream, client: 1.2.3.4, server: gallery.my.domain, request: "GET /user/login?r=/v1/oauth/authorize?oauth_consumer_key=9d27821f3d14d6579e8ba8bc0e0cc3&oauth_consumer_secret=e3c6067867&oauth_token=6e6cdab47358c1c83687f54570d024&oauth_token_secret=4f24e1918d&oauth_verifier=362dda917e HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "gallery.my.domain", referrer: "
http://gallery.my.domain/v1/oauth/authorize?mobile=1"
It appears to complain about absent parameters - oauth_signature, oauth_signature_method, oauth_nonce, oauth_timestamp.
The second scenario (forcefully adding &tokenType=access to the URL) does not result in a single error whatsoever in the PHP log, just like before, but it still gives the dreaded "error with authentication".