as per 1.0a/9.1.1 part 1: Parameters are sorted by name, using lexicographical byte value ordering. If two or more parameters share the same name, they are sorted by their value

Author: Woodya

oauth2/__init__.py

@@ -29,6 +29,7 @@
 import hmac
 import binascii
 import httplib2
+from types import ListType
 
 try:
     from urlparse import parse_qs, parse_qsl
@@ -327,8 +328,9 @@ def get_parameter(self, parameter):
 
     def get_normalized_parameters(self):
         """Return a string that contains the parameters that must be signed."""
-        items = [(k, v) for k, v in self.items() if k != 'oauth_signature']
-        encoded_str = urllib.urlencode(sorted(items), True)
+        # 1.0a/9.1.1 states that kvp must be sorted by key, then by value
+        items = [(k, v if type(v) != ListType else sorted(v)) for k,v in sorted(self.items()) if k != 'oauth_signature']
+        encoded_str = urllib.urlencode(items, True)
         # Encode signature parameters per Oauth Core 1.0 protocol
         # spec draft 7, section 3.6
         # (http://tools.ietf.org/html/draft-hammer-oauth-07#section-3.6)

tests/test_oauth.py

@@ -30,6 +30,7 @@
 import time
 import urllib
 import urlparse
+from types import ListType
 
 
 # Fix for python2.5 compatibility
@@ -372,13 +373,16 @@ def test_get_normalized_parameters(self):
             'oauth_consumer_key': "0685bd9184jfhq22",
             'oauth_signature_method': "HMAC-SHA1",
             'oauth_token': "ad180jjd733klru7",
+            'multi': ['FOO','BAR'],
         }
 
         req = oauth.Request("GET", url, params)
 
         res = req.get_normalized_parameters()
+        
+        srtd = [(k, v if type(v) != ListType else sorted(v)) for k,v in sorted(params.items())]
 
-        self.assertEquals(urllib.urlencode(sorted(params.items())), res)
+        self.assertEquals(urllib.urlencode(srtd, True), res)
 
     def test_get_normalized_parameters_ignores_auth_signature(self):
         url = "http://sp.example.com/"