Hello
We have successfully implemented and tested WorldCheckOne integration in our development stage. HMAC-Authorization worked perfectly fine. We are now testing on the acceptance stage at our customer, where all requests are routed through an Enterprise Service Gateway. This means that our request goes to "gateway.internal" instead of to "api.risk.lseg.com". The ESG later forwards the request to "api.risk.lseg.com".
Since the (request-target) and "host" are part of the HMAC, we implemented a workaround, where we create the HMAC based on the future values that the ESG will set when forwarding and rewriting the request. At least according to our Unittests this works. Unfortunately, the customer's ESG does (in our eyes) not behave properly and does not update the Host header. I.e. the Host header in the outbound request still contains "gateway.internal" instead of "api.risk.lseg.com". (We are in discussion with our customer whether they can fix/configure the ESG to properly update the Host header).
My question now is: Does the WorldCheckOne-API require that the Host header be "api.risk.lseg.com", or does it blindly use the Host header value from the request to compute the HMAC for verification? If so, we could simply keep using "gateway.internal" and also use that for the HMAC on our side.
This would mean that the text-to-sign would look like this:
(request-target): post /screening/V3/cases
host: gateway.internal
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
"caseId": "my customer ID",
"name": "John Doe",
"providerTypes": ["WATCHLIST"]
}
instead of the "correct":
(request-target): post /screening/V3/cases
host: api.risk.lseg.com
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
"caseId": "my customer ID",
"name": "John Doe",
"providerTypes": ["WATCHLIST"]
}
