> > You order all parameters EXCEPT the signature, then create the signature,
> > then append the signature to the end.  All other parameters should be in
> > order.
> I am under the impression that sorting is only required to generate
> the Signature Base String. I haven't seen anything in the OAuth spec
> to suggest that Query parameters must be ordered. If I have missed
> something, lease let me know where. I also believe that ordering is
> *not* required in the Authorization header because the example shown
> in the spec is not ordered [1]

Yep, that's my understanding too. Signature base string sorting is
strict. For the Authorization header, neither sender nor receiver
should assume any sorting, it's an unsorted key/value map.

Reply via email to