Here I got help from other people’s code. For some code, I don’t know why. But it just works.

Below is about step A and B in the diagram above: Consumer Requests Request Token.
 
Like the diagram shows, 7 values should be transferred to Twitter server:
1, oauth_consumer_key
2, oauth_signature_method
3, oauth_signature
4, oauth_timestamp
5, oauth_nonce
6, oauth_version (optional)
7, oauth_callback

The url is: https://twitter.com/oauth/request_token
The method is: GET

oauth_consumer_key can be get when an API is registered in Twitter;
Here oauth_signature_method is HMAC-SHA1; 
oauth_timestamp is time() ;
The code below is for oauth_nonce：
$mt = microtime();
$rand = mt_rand();
$oauth_nonce = md5($mt . $rand);
Other methods can be used here to get a value for oauth_nonce；
oauth_version here uses 1.0a ;
oauth_callback is the url here: http://localhost/itwitter/. When the authentication is finished, the user will be redirected to this url.

It’s a bit hard to get oauth_signature. If it’s wrong, it will show the message as below:

Failed to validate oauth signature and token

Below is the code to get this oauth_signature:

function urlencode_tw($input) { return str_replace( ‘+’, ‘ ‘,  str_replace(‘%7E’, ‘~’, rawurlencode($input)) ); };

$oauth_callback = ‘http://localhost/itwitter/’;
$oauth_callback = str_replace(‘+’,’ ‘, str_replace(‘%7E’, ‘~’, rawurlencode($oauth_callback)));
$sub_string = array( oauth_callback =>$oauth_callback, oauth_consumer_key => $oauth_consumer_key, oauth_nonce => $oauth_nonce, oauth_signature_method => ‘HMAC-SHA1’, oauth_timestamp => $oauth_timestamp, oauth_version => $oauth_version);

$params = $sub_string;
 
$temp = array();
foreach ($params as $param => $values) {
  if (is_array($values)) {
 natsort($values);
 foreach ($values as $value) {
   $temp[] = $param . ‘=’ . $value;
 }
  } else {
   $temp[] = $param . ‘=’ . $values;
    }
}  
 
$sub_string = $temp; 

$sub_string = implode(‘&’, $sub_string);
$base_string=array(“GET”,”https://twitter.com/oauth/request_token”,$sub_string);

$base_string = array_map(urlencode_tw, $base_string);

$base_string = implode(‘&’, $base_string);

$oauth_signature = base64_encode(hash_hmac(‘sha1’, $base_string, $key, true));

$oauth_signature = str_replace(‘+’,’ ‘,str_replace(‘%7E’, ‘~’, rawurlencode($oauth_signature)));

I think that the messages that are transferred to the server will be encrypted with one encryption method to get a key. The server will get a key, the encryption method, and all the messages that aren’t encrypted. With all the information, the server can check if the messages are changed from its original values.

The messages that will be encrypted are something as below:

GET&https%3A%2F%2Ftwitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost%252Fitwitter%252F%26oauth_consumer_key%3Dfwwaw3m5sQq4L3M6aXV1jg%26oauth_nonce%3Df9baa315ecf34c0aabf555f785c312fc%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1295839203%26oauth_version%3D1.0a

Then oauth_signature is something as below：
d1zMBrpd/YBdZmYVZxpqpwqxglQ=
Then use the function str_replace(‘+’,’ ‘,str_replace(‘%7E’, ‘~’, rawurlencode($oauth_signature))) to replace the characters that’re not letter(s) and number(s).

The final thing is something as below：
d1zMBrpd%2FYBdZmYVZxpqpwqxglQ%3D

Then all the values are put at the end of “https://twitter.com/oauth/request_token” as below:

https://twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Flocalhost%2Fitwitter%2F&oauth_consumer_key=fwwaw3m5sQq4L3M6aXV1jg
&oauth_nonce=817d10a677547378dbef3547c5545fdb&oauth_signature=Hv48dvKEbWAn4tG4JSEs0UbM1so%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1295839203&oauth_version=1.0a

With the url and parameters, oauth_token will be got. The response is something as below:
oauth_token=Fh8BYm1ec2EGgCXdxFPsWIv46aFgZiGqw6Krv8iLks
&oauth_token_secret=PFNmtGd166NV7SGfnZhk8DFzlU67oiaErWSFyBJlxM&oauth_callback_confirmed=true