App Authentication Principles
Process
- Construct a standard request.
Assemble the request content according to the rules of APIC, ensuring that the client signature is consistent with that in the backend request.
- Create a to-be-signed string using the standard request and other related information.
- Calculate a signature using the AK/SK and to-be-signed string.
- Add the generated signature to an HTTP request as a header or query parameter.
- After receiving the request, APIC performs 1 to 3 to calculate a signature.
- The new signature is compared with the signature generated in 3. If they are consistent, the request is processed; otherwise, the request is rejected.
The body of a signing request in app authentication mode cannot exceed 12 MB.
Step 1: Construct a Standard Request
To access an API through app authentication, standardize the request content, and then sign the request. The client must follow the same request specifications as APIC so that each HTTP request can obtain the same signing result from the frontend and backend to complete identity authentication.
The pseudocode of standard HTTP requests is as follows:
CanonicalRequest = HTTPRequestMethod + '\n' + CanonicalURI + '\n' + CanonicalQueryString + '\n' + CanonicalHeaders + '\n' + SignedHeaders + '\n' + HexEncode(Hash(RequestPayload))
The following example shows how to construct a standard request.
Original request:
GET https://30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com/app1?b=2&a=1 HTTP/1.1 Host: 30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com X-Sdk-Date: 20180330T123600Z
- Specify an HTTP request method (HTTPRequestMethod) and end with a carriage return line feed (CRLF).
Specify GET, PUT, POST, or another request method. Example of a request method:
GET
- Add a standard URI (CanonicalURI) and end with a CRLF.
Description
Path of the requested resource, which is the URI code of the absolute path.
Format
According to RFC 3986, each part of a standard URI except the redundant and relative paths must be URI-encoded. If a URI does not end with a slash (/), add a slash at its end.
Example
For the URI /app1, the standard URI code is as follows:
GET /app1/
During signature calculation, the URI must end with a slash (/). When a request is sent, the URI does not need to end with a slash (/).
- Add a standard query string (CanonicalQueryString) and end with a CRLF.
Description
Query parameters. If no query parameters are configured, the query string is an empty string.
Format
Standard query strings must meet the following requirements:
- Perform URI encoding on each parameter and value according to the following rules:
- Do not perform URI encoding on any non-reserved characters defined in RFC 3986, including A–Z, a–z, 0–9, hyphen (-), underscore (_), period (.), and tilde (~).
- Use %XY to perform percent encoding on all non-reserved characters. X and Y indicate hexadecimal characters (0–9 and A–F). For example, the space character must be encoded as %20, and an extended UTF-8 character must be encoded in the "%XY%ZA%BC" format.
- Add "URI-encoded parameter name=URI-encoded parameter value" to each parameter. If no value is specified, use a null string instead. The equal sign (=) is required.
For example, in the following string that contains two parameters, the value of parameter parm2 is null.
parm1=value1&parm2=
- Sort the parameters in alphabetically ascending order. For example, a parameter starting with uppercase letter F precedes another parameter starting with lowercase letter b.
- Construct standard query strings from the first parameter after sorting.
Example
The following example contains two optional parameters a and b.
GET /app1/ a=1&b=2
- Perform URI encoding on each parameter and value according to the following rules:
- Add standard headers (CanonicalHeaders) and end with a CRLF.
Description
List of standard request headers, including all HTTP message headers in the to-be-signed request. The X-Sdk-Date header must be included to verify the signing time, which is in the UTC time format YYYYMMDDTHHMMSSZ as specified in ISO 8601. When publishing an API in a non-RELEASE environment, you need to specify an environment name.
The client must synchronize the local time with the clock server to avoid a large offset in the value of X-Sdk-Date in the request header.
In addition to verifying the time format of X-Sdk-Date, ROMA Connect also verifies the time difference between the time specified by X-Sdk-Date and the actual time when the request is received. If the time difference exceeds 15 minutes, ROMA Connect rejects the request.
Format
CanonicalHeaders consists of multiple message headers, for example, CanonicalHeadersEntry0 + CanonicalHeadersEntry1 + .... Each message header (CanonicalHeadersEntry) is in the format of Lowercase(HeaderName) + ':' + Trimall(HeaderValue) + '\n'.
- Lowercase: a function for converting all letters into lowercase letters.
- Trimall: a function for deleting the spaces before and after a value.
- The last message header carries a newline character. Therefore, an empty line appears because the CanonicalHeaders field also contains a newline character according to the specifications.
Example
GET /app1/ a=1&b=2 host:30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com x-sdk-date:20180330T123600Z
Standard message headers must meet the following requirements:- All letters in a header are converted to lowercase letters, and all spaces before and after the header are deleted.
- All headers are sorted in alphabetically ascending order.
For example, the original headers are as follows:
Host:30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com\n Content-Type: application/json;charset=utf8\n My-header1: a b c \n X-Sdk-Date:20180330T123600Z\n My-Header2: "a b c" \n
A standard header is as follows:
content-type:application/json;charset=utf8\n host:30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com\n my-header1:a b c\n my-header2:"a b c"\n x-sdk-date:20180330T123600Z\n
- Add message headers (SignedHeaders) for request signing, and the headers end with a newline character.
Description
List of message headers used for request signing. This step is to determine which headers are used for signing the request and which headers can be ignored during request verification. The X-Sdk-date header must be included.
Format
SignedHeaders = Lowercase(HeaderName0) + ';' + Lowercase(HeaderName1) + ";" + ...
Letters in the message headers are converted to lowercase letters. All headers are sorted alphabetically and separated with commas.
Lowercase is a function for converting all letters into lowercase letters.
Example
In the following example, two message headers host and x-sdk-date are used for signing the request.
GET /app1/ a=1&b=2 host:30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com x-sdk-date:20180330T123600Z host;x-sdk-date
- Use a hash function, such as SHA-256, to create a hash value based on the body (RequestPayload) of the HTTP or HTTPS request.
Description
Request message body. The message body needs two layers of conversion: HexEncode(Hash(RequestPayload)). Hash is a function for generating message digest. Currently, SHA-256 is supported. HexEncode: the Base16 encoding function for returning a digest consisting of lowercase letters. For example, HexEncode("m") returns 6d instead of 6D. Each byte you enter is expressed as two hexadecimal characters.
If RequestPayload is null, the null value is used for calculating a hash value.
Example
For a request with the GET method and an empty body, the body (empty string) after hash processing is as follows:
GET /app1/ a=1&b=2 host:30030113-3657-4fb6-a7ef-90764239b038.apigw.exampleRegion.com x-sdk-date:20180330T123600Z host;x-sdk-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- Perform hash processing on the standard request in the same way as that on the RequestPayload. After hash processing, the standard request is expressed with lowercase hexadecimal strings.
Algorithm pseudocode: Lowercase(HexEncode(Hash.SHA256(CanonicalRequest)))
Example of the standard request after hash processing:
aa521bbe74d13cd8cf536c1a03a5dd85d1934179d33d47110b528eae8b7251e1
Step 2: Create a To-Be-Signed String
After a standard HTTP request is constructed and the request hash value is obtained, create a to-be-signed string by combining them with the signature algorithm and signing time.
StringToSign = Algorithm + \n + RequestDateTime + \n + HashedCanonicalRequest
Parameters in the pseudocode are described as follows:
- Algorithm
Signature algorithm. For SHA256, the value is SDK-HMAC-SHA256.
- RequestDateTime
Request timestamp, which is the same as X-Sdk-Date in the request header. The format is YYYYMMDDTHHMMSSZ.
- HashedCanonicalRequest
Standard request generated after hash processing.
In this example, the following to-be-signed string is obtained:
SDK-HMAC-SHA256 20180330T123600Z aa521bbe74d13cd8cf536c1a03a5dd85d1934179d33d47110b528eae8b7251e1
Step 3: Calculate the Signature
Use the AppSecret and created character string as the input of the encryption hash function, and convert the calculated binary signature into a hexadecimal expression.
The pseudocode is as follows:
signature = HexEncode(HMAC(APP secret, string to sign))
HMAC indicates hash calculation, and HexEncode indicates hexadecimal conversion. Table 1 describes the parameters in the pseudocode.
Name |
Description |
---|---|
APP secret |
Signature key. |
string to sign |
Character string to be signed. |
Assuming that the AppSecret is 12345678-1234-1234-1234-123456781234, a signature similar to the following will be calculated:
121c2501e8951ff7d5574423939b9acaa283e55a27c0107d767bb0d68b5ffcab
Step 4: Add the Signature to the Request Header
Add the signature to the HTTP Authorization header. The Authorization header is used for identity authentication and not included in the signed headers.
The pseudocode is as follows:
Pseudocode for Authorization header creation: Authorization: algorithm Access=APP key, SignedHeaders=SignedHeaders, Signature=signature
There is no comma before the algorithm and Access. SignedHeaders and Signature must be separated with commas.
The signed headers are as follows:
Authorization: SDK-HMAC-SHA256 Access=071fe245-9cf6-4d75-822d-c29945a1e06a, SignedHeaders=host;x-sdk-date, Signature=121c2501e8951ff7d5574423939b9acaa283e55a27c0107d767bb0d68b5ffcab
The signed headers are added to the HTTP request for identity authentication. If the identity authentication is successful, the request is sent to the corresponding backend service for processing.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot