Auth/v2/auth giving a 40103 but auth/v2/preauth working fine

Hello,

I’m attempting to hit the auth/v2/auth route using parameters supplied from the preauth route.
Once I get device details I start a new call to /auth/v2/auth.

In all my calls to DUO I use my own Auth header generation logic, and this logic generates the correct Basic Auth header to make successful calls to /auth/v2/preauth, but for some reason when I’m attempting to hit the auth route it gives me this error:
{
“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”
}
The canonical string I’m generating for use in the HMAC looks like this for the auth route:

Tue, 15 Dec 2020 13:27:23 -0500
POST
■■■■■■■■■■■■■■■■■■■■■■■■■■■■
/auth/v2/auth
username=fake&factor=push&device=XXXXXXXXXXXXXXXXXXXX

And the endpoint I’m hitting ends up looking like this:
https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■/auth/v2/auth?username=fake&factor=push&device=XXXXXXXXXXXXXXXXXXXX

I’m still getting this error, and I’m failing to see why, despite getting a valid signature for preauth and following the documentation as necessary.

Any help would be great.

I’m a fool.
I found the answer to my own problem.
The preauth call only has 1 parameter.
Because the auth call requires multiple parameters, they must be alphabetically sorted when generating the canonical string. This solved the issue completely.