Difference between revisions of "Updox HMAC Authentication"

From Updox API
Jump to: navigation, search
(Verification)
(Sample Request and Response)
Line 50: Line 50:
  
 
== Sample Request and Response ==
 
== Sample Request and Response ==
 +
 +
==== Headers ====
 +
updox-timestamp: 2013-11-20 17:36:00 (EST)
 +
 +
Authorization: fH2JyYwiERQbwXL4XF6ZvtLjRvQ=
  
 
==== Request ====
 
==== Request ====
Line 68: Line 73:
 
     "responseCode": 2000
 
     "responseCode": 2000
 
  }
 
  }
 
+
 
 
+
 
+
 
== Relevant Response Codes ==  
 
== Relevant Response Codes ==  
 
{{Relevant Response Codes Table Header}}
 
{{Relevant Response Codes Table Header}}
 
{{Response Code Table Row|4010}}
 
{{Response Code Table Row|4010}}

Revision as of 17:20, 27 November 2013

Contents

Description

For enhanced security, Updox provides an additional layer of authentication using a keyed-hash message authentication code (HMAC) with SHA1 as the cryptographic hash function. This document outlines how to use the Updox HMAC-SHA1 authentication.

Note: Updox HMAC-SHA1 enhances the Individual and Application Authorization schemes, it does not replace it. The auth header in the body of the post is still required for authorizing as a vendor, account, and user.



Outline

The Updox HMAC-SHA1 authentication layer requires two http header fields for every request:

1. updox-timestamp - the current time in the format "yyyy-MM-dd HH:mm:ss (z)".

2. Authorization - "HMAC:" + the Base64 encoded HMAC SHA1 hash of the message with the secret key.

The message is defined as: [vendorId]:[vendorPassword]:[updox-timestamp]

Verification

Updox will verify two things:

1. The timestamp header (updox-timestamp) is within the minutes defined for the vendor (e.g. 10 minutes).

2. The hash passed in matches the hash we compute (therefore, the message was signed with the secret key).

Code Samples

Language Source Code Examples
C#
Java


   public static void generateHmacHeaders(HttpURLConnection connection, String applicationId, String applicationPassword, String accountId, String userId) throws Exception{
       final SimpleDateFormat d = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss (z)");
       d.setTimeZone(TimeZone.getTimeZone("GMT"));
       final String timestampString = d.format(new Date());
       final String message = 
          (applicationId == null ? "" : applicationId) + ":" + 
          (applicationPassword == null ? "" : applicationPassword) + ":" + 
          (accountId == null ? "" : accountId) + ":" + 
          (userId == null ? "" : userId) + ":" + 
          timestampString;
       final String auth = "HMAC " + hmacSha1ToBase64(message, apiSecret); //note space after HMAC
       connection.setRequestProperty("updox-timestamp", timestampString);  
       connection.setRequestProperty("Authorization", auth);
   }
   
   public static String hmacSha1ToBase64(String value, String key) throws Exception{
       byte[] keyBytes = key.getBytes();
       SecretKeySpec signingKey = new SecretKeySpec(keyBytes, "HmacSHA1");
       Mac mac = Mac.getInstance("HmacSHA1");
       mac.init(signingKey);
       byte[] rawHmac = mac.doFinal(value.getBytes());
       byte[] base64Bytes = Base64.encodeBase64(rawHmac);
       return new String(base64Bytes, "UTF-8");
   }



Messages

Destination Address

 https://updoxqa.com/io/pingWithAuth



Sample Request and Response

Headers

updox-timestamp: 2013-11-20 17:36:00 (EST)

Authorization: fH2JyYwiERQbwXL4XF6ZvtLjRvQ=

Request

{
    "auth": {
        "applicationId": "updox",
        "applicationPassword": "password",
        "accountId": "100",
        "userId": "100"
    }
}

Response

{
    "successful": true,
    "responseMessage": "OK",
    "responseCode": 2000
}

Relevant Response Codes

In addition to the General Error Set, this method may return the following values in the responseCode and responseMessage fields:

responseCode responseMessage
4010 Unauthorized