UPDATE: Please see http://self-issued.info/docs/draft-jones-json-web-token-06.html and the implementation here https://github.com/progrium/ruby-jwt for another method for JSON specific requests.
(if you run into this post and are about to use a different method that doesn't pose any particular benefit, use this one - post an alternative if there's a benefit!)
When a third party is given the option of sending a url-form-encoded request containing a signature value, we need a method of signing all keys and values as well as a signature, without the inclusion of the signature itself in the hash.
http://example.com/?a=1&c=3&b=2&signature=abcdefg
- Parse query string:
url = http://example.com/?a=1&b=2&c=3
#1(url) = ["http://example.com", "a=1&c=3&b=2"]
- Order by keys and values in array with "#{k}#{v}"
#2("a=1&c=3&b=2") = ["a1", "c3", "b4"]
- Sort lexicographically, join
#3(["a1", "c3", "b4"]) = "a1b4c3"
- Sign (algorithm not specified but likely HMAC-* or NACL Signature Verification)
#4("a1b4c3") = SIGNATURE
- Use in original URL
#5(SIGNATURE) = http://example.com/?a=1&c=3&b=2&signature=SIGNATURE
Perform above on incoming request but remove 'signature' parameter from the encoded string before calcuating the signature. Compare the two and ensure they are the same.