Getting a 401 when "Post"ing a case to the API

john.crocker

First things I want to say our mechanism works for "GET" calls, where we are not submitting data, however on making a POST call using the same hashing routine we have developed, and using the following signature data

(request-target): post /v1/cases 

host: rms-world-check-one-api-pilot.thomsonreuters.com 

date: Wed, 28 Sep 2016 14:26:28 GMT 

content-type: application/json 

content-length: 191

We are not able to authenticate successfully. All we have done is adapted the routine to add the current content type and content length of the request to the hash computation, so the existing working computation should work fine. We have verified that the content type header matches what is submitted (it does) and the content-length header matches what is in the signature and also matches the size of the request body (191 bytes) the API call is posting the correct JSON.

Here are the HTTP headers in question

Request: 

POST /cases 

cache-control: no-cache 

content-type: application/json 

content-length: 191 

authorization: Signature keyId="{key}",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="{signature}" 

date: Wed, 28 Sep 2016 14:26:28 GMT 

Accept: application/json

Any ideas?

john.crocker

Whoops my bad

Forgot to ensure the actual posted content was included as part of the signature. All works now!

john.crocker

n addition, we have also verified the hash mechanism generates exactly the same value as Thomson Reuters expect to see on a "GET" call with them supplying a test hash for our unit tests.

brian.bourgault

Hi @john.crocker,

Thanks for posting this, even though you solved your own issue, it will help others to understand the WC-1 API programming.

Thanks again,

Brian