This doc is a draft of the 2-legged OAuth 1.0 process...
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
Here is a signature generator that you can use to verify your generated strings and sigs...
http://oauth.googlecode.com/svn/code/javascript/example/signature.html
Yahoo doesn't need the oauth_token parm at all so you can leave it out.
Otherwise, it's pretty much exact as RFC-5849 says it should be.
This URL is ready to send, except for the OAuth parms. You'd pass the URL to the OAuth code (either complete or broken down into its parts...depending on the library)...
http://query.yahooapis.com/v1/yql?q=select%20*%20from%20geo.placefinder%20where%20text%3D%2210%20prospect%20brooklyn%20ny%22%20and%20flags%3D%22GT%22%20and%20gflags%3D%22AC%22
Here's the URL as it gets sent to Yahoo with the OAuth parms (with my consumer key replaced with "abcde...")...
http://query.yahooapis.com/v1/yql?oauth_consumer_key=abcdefghijklmnopqrstuvwxyz&oauth_nonce=IQSUNZgszU&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1359720910&oauth_version=1.0&q=select%20%2A%20from%20geo.placefinder%20where%20text%3D%2210%20prospect%20brooklyn%20ny%22%20and%20flags%3D%22GT%22%20and%20gflags%3D%22AC%22&oauth_signature=cFBy8APwVdzt3nMVpuXypnMP1Zw%3D
You should get back the requested resource.
I found the signature generator to be very useful. That will show you your mistakes in producing the base string and signature.
