> > You order all parameters EXCEPT the signature, then create the signature,
> > then append the signature to the end. All other parameters should be in
> > order.
> I am under the impression that sorting is only required to generate
> the Signature Base String. I haven't seen anything in the OAuth spec
> to suggest that Query parameters must be ordered. If I have missed
> something, lease let me know where. I also believe that ordering is
> *not* required in the Authorization header because the example shown
> in the spec is not ordered 
Yep, that's my understanding too. Signature base string sorting is
strict. For the Authorization header, neither sender nor receiver
should assume any sorting, it's an unsorted key/value map.