I’m writing a Web service that is going to use HMAC for authentication. Quick overview: an HMAC is a message digest calculated using the body of a message along with a secret key. The sender calculates the HMAC and attaches it to the request, then the receiver calculates the message digest on receipt using the secret key, which it has on file. If the digests are the same, then the receiver can be sure that the message was sent by the person who they claim to be.

My question is about the parameter order. Let’s say the Web service request has three parameters, foo, bar and baz. The body of the HTTP POST will look something like:

foo=1&bar=2&baz=3&hmac=de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

(The HMAC in this case is a fake example.)

Normally HTTP parameter order is not significant, but when it comes to calculating the hash, it is. Should the server take the raw incoming request, drop the “hmac” parameter which is, of course, not part of the hash calculation, and hash that? Or should there be an agreed upon order of parameters which must be followed in order for the hash to be calculated correctly?

The former approach puts a bit more of a burden on the implementor on the server side, but it’s more robust. What I’m really asking about is the expectation of developers who are building things on the client side. Do they expect that things will just work regardless of what order the parameters?