@rob_callicotte ,
If you haven't already done so, please be sure to pass the link to Canvas Data API Authentication to Chris Ellis.
Answers to most of the questions you ask and the request you make are already provided there. It is much more complete than the few snippets you provide here and you won't be able to pull out statements like "all you need are three things" without reading the rest that explains what to do with those three things.
To answer your questions:
1. What are the order of the values that go into the SIGNATURE?
The order of the values is provided in the section Existing Documentation > Signed Message. It's kind of lengthy with 8 parts, although many of them are empty, so I'll just refer you back to that part rather than listing them all again here.
2. Is the Authorization using the KEY plus the SIGNATURE (the combined elements) or only the SECRET or only the KEY and then the SECRET? a. If it is combined, are the two elements divided by a colon?
This is documented in the section Existing Documentation > Authentication Headers.
There is a single Authorization header. You are correct that there needs to be a colon between the key and the signature. Without knowing C#, what you have supplied sounds reasonable:
httpWebHeaderCollection.Add("Authorization", "HMACAuth " + strAUTH + ":" + strSIGNATURE);
There are only two required headers that you need to add, Authorization and Date. I don't know what is necessary for C#, but I didn't need to set Host or PreAuthenticate, but you do need to make sure that date is part of the same group as Authorization and I can't tell that it is from your source.
3. Chris Ellis asked, "Could you ask James to paste a header minus his API_Secret?"
I've already done you one better. In Existing Documentation > Authentication Headers > Example for Testing, there is an API_KEY, API_SECRET, URL, and TIMESTAMP provided that you can use for testing. Hard code those into your code until you get the correct signature (the part after the : that starts with sOIJs). In that section you'll also see the proper way to format the two headers, which is kind of also an answer to the second question.
Authorization: HMACAuth 27f65b589c0c21f4bd29fd2f0e1cdf552a578f98:sOIJs/UZ7AySaRFfhRSFqDKlN93Ei+VvpZsVcKDfiJw=
Date: Tue, 01 Dec 2015 09:24:50 GMT
Verify that you can use those values and get the correct signature
sOIJs/UZ7AySaRFfhRSFqDKlN93Ei+VvpZsVcKDfiJw=
Don't even mess with trying to make the HTTP Request until you have this part working as it's going to fail (that request will also fail because it was just example data). So, for testing purposes, hard code the information, use the example values I gave, make sure that part is working. Then, once you have the signature working, you can remove the hard-coded values and use your own and move on to the HTTP request part.
The only two headers you need for authentication to work are Authorization and Date. You may have to add some others for you client, but the server doesn't need them. What the server does is take the information in the request, computes it's own HMAC signature, compares it to the one you provided to make sure they match, and if so, authorizes the transfer.
The part after the signature is the easy part, getting that right signature is why the document I wrote was so long.
All of that said, depending on what you mean by "data", the API won't help you access the data. It provides the Schema, but the Canvas-Data-CLI tool takes care of the downloading of the data (and maybe more). That's all the API provides you -- the ability to know what to download and the CLI automates it for you. The API is stuff you do before you download the data and create the database, but it doesn't help you analyze it. In other words, you may be spending a lot of time to obtain something you already have.