All OAuth 1.0 requests use the same basic algorithm for creating a
signature base string and a signature. The signature base string is
composed of the HTTP method being used, followed by an ampersand ("&")
and then the URL-encoded base URL being accessed, complete with path
(but not query parameters), followed by an ampersand ("&"). Then, you
take all query parameters and POST body parameters (when the POST body is
of the URL-encoded type, otherwise the POST body is ignored), including
the OAuth parameters necessary for negotiation with the request at hand,
and sort them in lexicographical order by first parameter name and then
parameter value (for duplicate parameters), all the while ensuring that
both the key and the value for each parameter are URL encoded in
isolation. Instead of using the equals ("=") sign to mark the key/value
relationship, you use the URL-encoded form of "%3D". Each parameter is
then joined by the URL-escaped ampersand sign, "%26".