Creating the signature base string: document / example inconsistencies


#1

I’m writing a signature generator in JS and am able to match the generated signature in the example provided by https://dev.twitter.com/oauth/overview/creating-signatures

The instructions for creating a signature base string are very specific, however, I’ve noticed that the Signature base string generated by the oauth tools signature generator, linked from https://dev.twitter.com/rest/reference/get/followers/list, doesn’t follow the specifications laid out in the Creating Signatures Documentation.

Specifically, under the Collecting Parameters heading, step 2 says the following:

  1. Sort the list of parameters alphabetically[1] by encoded key[2].

Looking at the Signature Base String generated from a GET followers/list example:

GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Ffollowers%2Flist.json&amp%253Binclude_user_entities%3Dfalse%26amp%253Bscreen_name%3Dtwitterdev%26amp%253Bskip_status%3Dtrue%26cursor%3D-1%26oauth_consumer_key%XXX%26oauth_nonce%3Dc14a6ea5235e38b854f12b7de6b27cd8%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1459519379%26oauth_token%3DXXX%26oauth_version%3D1.0

All of the request query parameters precede the oauth_header parameters regardless of alphabetical order. Also the request query parameters aren’t in alphabetical order but the oauth_header parameters do follow alphabetical order.

Should my signature generator match the results of the example outlined in https://dev.twitter.com/oauth/overview/creating-signatures or should I match the results of an example generated from the Oauth Signature Generator linked form a page like https://dev.twitter.com/rest/reference/get/followers/list?

Thanks.