why are signatures so hard to create

I've read every piece of documentation, but creating the oauth signature is still extremely hard to understand! I tried using the oauth ruby gem, but the support for refreshing the token isn't working for me (gives me invalid token), so I'm trying to do this manually.

This is what I have so far:

My parameters without the signature is below. Should be escaped properly and formatted properly:

"oauth_consumer_key=dj0yJmk9eXU4dk1DcGxwUkl6JmQ9WVdrOWRIbEpOV3RtTTJVbWNHbzlP
VFU1TkRJNU16WXkmcz1jb25zdW1lcnNlY3JldCZ4PTMx&oauth_nonce=1281648130fanvibe&oauth_session_handle=AGkRWUwMquFafMFkHCOX3Aa89ofMZAPTHkUxFuIEbdI3NrYwggC8q4M-&oauth_signature=IWlqTJzaGTataOi9trPJpmEuy5w%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1281648130.29765&oauth_token=A%3D0wL9whXPsgFkPrVxLe9tMGXDENk1Mvz92ciIBzQ84L4wUT8MZukfUpmizUE0UvL0hEwHgZCAG0xJ4E
gA0ISVnQ3HDRhlFRceKqhhLKYkrLhWueh_KwJoEir6dqCJKBziCrTOcagjyV_vvU1o7vml7O4RxgnBcOg
eJjRB9D0Iq_fmoIN1.Ey8loc7Bek6Vr_OkS._gjxK4Ouo3lUJDsL9mpqTwmAWGP36Yrz0YJt13Bx7OORl
Uvbahqp7uhLZ1wXxWmrCzKwKcyIDJuMYviW7ECZer2sTgrmoj_o9AuHDcNIJT2wUTQzNpEQDn3NQtB9bD
UJYeW2AfBqEJYDAL.7iozgligXldAUi4EVMv_867hxsiV973VAIgIem5ntTSTztfMFRUuFu1buLmE_Aa6
HxVb6HrC9L_bYPqc2wGEo0YfKGoG8jhJZJWT0TsdRR7VOW4Xjh6yckKv3KgEsGfFRVw.lSJ_N.b7H6Z3j
e3pT.IbUdGNUMYWJo4B7Rcl2wbOzbptt4ahyKrItMsill9LYVvhMPTSkyK3qVrTSIVuNs_yCYRTmgMaza
EN02hsKYNG5SH1rIK0XD7W8bQJIrJ92bHM5e.llJA9nAvOuDyU7zwAEjQM0dLbSyoZcJ8YBfF63ZdilLT
WUZl8SvPM5p9tHvUP_VpGNZp7iXuTfkBZkqt2P0es79TR.bwCmB9A33iRx13vm32w3L8XiHGULGbVcUge
z5uSPQra8Vv8haSjM4gCdjQflJsjlBHxgBoq7DIZN_L2AT.CtvtUokRxJzDccFP58x_ao-&oauth_version=1.0"

I created my base stream with the following by basically appending "GET" and the url for the api call

"GET&https%3A%2F%2Fapi.login.yahoo.com%2Foauth%2Fv2%2Fget_token&oauth_consumer_key%3Ddj0yJmk9eXU4dk1DcGxwUkl6JmQ9WVdrOWRIbEpOV3RtTTJVbWNHbzlPVFU1TkRJNU16WXkmcz1jb2
5zdW1lcnNlY3JldCZ4PTMx%26oauth_nonce%3D1281648130fanvibe%26oauth_session_handle%3DAGkRWUwMquFafMFkHCOX3Aa89ofMZAPTHkUxFuIEbdI3NrYwggC8q4M-%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1281648130.29765%26oauth_token%3DA%3D0wL9whXPsgFkPrVxLe9tMGXDENk1Mvz92ciIBzQ84L4wUT8MZukfUpmizUE0UvL0hEwHgZCAG0xJ4E
gA0ISVnQ3HDRhlFRceKqhhLKYkrLhWueh_KwJoEir6dqCJKBziCrTOcagjyV_vvU1o7vml7O4RxgnBcOg
eJjRB9D0Iq_fmoIN1.Ey8loc7Bek6Vr_OkS._gjxK4Ouo3lUJDsL9mpqTwmAWGP36Yrz0YJt13Bx7OORl
Uvbahqp7uhLZ1wXxWmrCzKwKcyIDJuMYviW7ECZer2sTgrmoj_o9AuHDcNIJT2wUTQzNpEQDn3NQtB9bD
UJYeW2AfBqEJYDAL.7iozgligXldAUi4EVMv_867hxsiV973VAIgIem5ntTSTztfMFRUuFu1buLmE_Aa6
HxVb6HrC9L_bYPqc2wGEo0YfKGoG8jhJZJWT0TsdRR7VOW4Xjh6yckKv3KgEsGfFRVw.lSJ_N.b7H6Z3j
e3pT.IbUdGNUMYWJo4B7Rcl2wbOzbptt4ahyKrItMsill9LYVvhMPTSkyK3qVrTSIVuNs_yCYRTmgMaza
EN02hsKYNG5SH1rIK0XD7W8bQJIrJ92bHM5e.llJA9nAvOuDyU7zwAEjQM0dLbSyoZcJ8YBfF63ZdilLT
WUZl8SvPM5p9tHvUP_VpGNZp7iXuTfkBZkqt2P0es79TR.bwCmB9A33iRx13vm32w3L8XiHGULGbVcUge
z5uSPQra8Vv8haSjM4gCdjQflJsjlBHxgBoq7DIZN_L2AT.CtvtUokRxJzDccFP58x_ao-%26oauth_version%3D1.0"

Below is how I create the secret for the signing. Basically I take my api secret that I got when I registered the app, and escape it, and then take the token secret for the user and put them together with the "&" symbol

secret = "#{CGI.escape(YAHOO_API_SECRET)}&#{CGI.escape(USER_YAHOO_SECRET)}"

Using HMAC::SHA1 I do the base64 encode with this new secret I got above, and the base string I created above that, I get the signature.

oauth_signature = Base64.encode64(HMAC::SHA1.digest(secret,base_string)).chomp.gsub(/\n/,'')

I then sort each parameter and escape each parameter, joining them together (including the new signature) to end up with this:

"https://api.login.yahoo.com/oauth/v2/get_token?oauth_consumer_key=dj0yJmk9eXU4dk1DcGxwUkl6JmQ9WVdrOWRIbEpOV3RtTTJVbWNHbzlPVFU1T
kRJNU16WXkmcz1jb25zdW1lcnNlY3JldCZ4PTMx&oauth_nonce=1281648130fanvibe&oauth_session_handle=AGkRWUwMquFafMFkHCOX3Aa89ofMZAPTHkUxFuIEbdI3NrYwggC8q4M-&oauth_signature=IWlqTJzaGTataOi9trPJpmEuy5w%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1281648130.29765&oauth_token=A%3D0wL9whXPsgFkPrVxLe9tMGXDENk1Mvz92ciIBzQ84L4wUT8MZukfUpmizUE0UvL0hEwHgZCAG0xJ4E
gA0ISVnQ3HDRhlFRceKqhhLKYkrLhWueh_KwJoEir6dqCJKBziCrTOcagjyV_vvU1o7vml7O4RxgnBcOg
eJjRB9D0Iq_fmoIN1.Ey8loc7Bek6Vr_OkS._gjxK4Ouo3lUJDsL9mpqTwmAWGP36Yrz0YJt13Bx7OORl
Uvbahqp7uhLZ1wXxWmrCzKwKcyIDJuMYviW7ECZer2sTgrmoj_o9AuHDcNIJT2wUTQzNpEQDn3NQtB9bD
UJYeW2AfBqEJYDAL.7iozgligXldAUi4EVMv_867hxsiV973VAIgIem5ntTSTztfMFRUuFu1buLmE_Aa6
HxVb6HrC9L_bYPqc2wGEo0YfKGoG8jhJZJWT0TsdRR7VOW4Xjh6yckKv3KgEsGfFRVw.lSJ_N.b7H6Z3j
e3pT.IbUdGNUMYWJo4B7Rcl2wbOzbptt4ahyKrItMsill9LYVvhMPTSkyK3qVrTSIVuNs_yCYRTmgMaza
EN02hsKYNG5SH1rIK0XD7W8bQJIrJ92bHM5e.llJA9nAvOuDyU7zwAEjQM0dLbSyoZcJ8YBfF63ZdilLT
WUZl8SvPM5p9tHvUP_VpGNZp7iXuTfkBZkqt2P0es79TR.bwCmB9A33iRx13vm32w3L8XiHGULGbVcUge
z5uSPQra8Vv8haSjM4gCdjQflJsjlBHxgBoq7DIZN_L2AT.CtvtUokRxJzDccFP58x_ao-&oauth_version=1.0"

The response is as such:

--- !ruby/object:RestClient::Response
args:
:url: https://api.login.yahoo.com/oauth/v2/get_to...uth_version=1.0
:headers: {}

:method: :get
body: oauth_problem=signature_invalid
net_http_res: !ruby/object:Net::HTTPUnauthorized
body: oauth_problem=signature_invalid
body_exist: true
code: "401"
header:
p3p:
- policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
content-type:
- application/x-www-form-urlencoded
connection:
- close
www-authenticate:
- OAuth oauth_problem=signature_invalid
date:
- Thu, 12 Aug 2010 21:27:00 GMT
transfer-encoding:
- chunked
http_version: "1.1"
message: Forbidden
read: true
socket:

Do you guys see any obvious mistakes? Thanks a ton!