API secret in hex format & Help needed to investigate API logs at your end

haresh.advani
haresh.advani Newcomer
in World-Check One

It’s a 401 unauthorized response, which most of your customers would have complained. We have done some extensive testing at our end and compared the headers sent by our code and postman (which returns a 200). There is nothing different other than the signature, which is expected to be different for each time the data is signed. The dataTosign values match as well. So this narrows down to the use of API keys in our code.

Header generated by our code: (that returns a 401 unauthorized response)

[{"Date":"Thu, 16 Mar 2017 14:46:12 GMT" Authorization":"Signature keyId=\"a4364e62-e58b-4b64-9c71-faead5417557\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date content-type content-length\",signature=\"4+wzapqhR2CCERy1VJXzHDDl6jdQ939FnqI2NIwQZnM=\""}]

Header in postman: (that returns 200 success):

Date: Thu, 16 Mar 2017 15:10:18 GMT

Authorization: Signature keyId="a4364e62-e58b-4b64-9c71-faead5417557",algorithm="hmac-sha256",headers="(request-target) host date",signature="M2rmA5vek4TmVKEahYQNFWimNDKJdl/qU/elL/28qj8="

The credentials used are:

Key: a4364e62-e58b-4b64-9c71-faead5417557 (this is identical to postman environment variables, and hence will not doubt this value)

API secret: /NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA== (assuming this is clear text and is used as is in postman as a string)

At our end, the technical requirement is to use the secret in hex format preceded by 0x. API secret in Hex format (preceded by 0x): 0x2f4e6f56715748425276323374356165394f75516c4f44555835796f41634a634650385a326e4a6c64426b72735443647168527a477a7272547644394556714c67775472584334784b5a2f4b6866763673684d7741413d3d

Questions: 1.Can you confirm that the API secret we have (/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==) is in clear text format?

2.If no, can you provide the secret in clear text string?

3.If yes, can you please investigate at your end what is causing the 401 response?

Tagged:

Best Answer

  • brian.bourgault
    brian.bourgault LSEG
    Answer ✓

    hi @haresh.advani,

    Just a quick look at your code and you've use the wrong line...for the request-target...for GET the line does not include content, so please review the Postman collection Pre-request script and note *exactly* what is required for each GET/PUT/PUSH/DEL/HEAD request

    (request-target) host date content-type content-length"

    CORRECT: (request-target) host date\",

Answers

  • brian.bourgault
    brian.bourgault LSEG

    Hi @haresh.advani,

    Without knowing your environment (we do not support 3rd party SDKs or IDEs) and seeing the full code for the request your assembling, it's difficult to diagnose your issue. Please send me an email with more information, especially the request your are making as the GET/PUT/POST/HEAD/DEL all have different formats and are exacting depending on the request.

    Brian

  • haresh.advani
    haresh.advani Newcomer

    We use an industry standard, security appliance IBM DataPower and this will be your client accessing your API services. The code that signs and base 64 encodes the string is a custom Gateway script which supports ECMAScript, based on Javascript and Jscript.

    The Get request our code made returned a 401 unauthorised response from you and the headers for the GET request is here:

    Header in
    our code: (that returns a 401 unauthorized response)

    [{"Date":"Thu,
    16 Mar 2017 14:46:12 GMT"Authorization":"Signature
    keyId=\"a4364e62-e58b-4b64-9c71-faead5417557\",algorithm=\"hmac-sha256\",headers=\"(request-target)
    host date content-type content-length\",signature=\"4+wzapqhR2CCERy1VJXzHDDl6jdQ939FnqI2NIwQZnM=\""}]

    The technical requirement at our end is to use the API secret in hex format preceded by 0x.

    Can you confirm that the API secret we have (/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==) is in clear text format?

    If no, can you provide the secret in clear text or in hex format?

    If yes, can you please investigate at your end what is causing the 401 response?

    Our GW script code is attached for reference:

    apim.setvariable('gateway-host','rms-world-check-one-api-pilot.thomsonreuters.com','add');
    apim.setvariable('gateway-url','/v1/','add');
    apim.setvariable('api-key','a4364e62-e58b-4b64-9c71-faead5417557','add');
    var date = new Date().toGMTString();
    apim.setvariable('datasign', '(request-target): get ' + apim.getvariable('gateway-url') + 'groups' + '\\n' + 'host: '+apim.getvariable('gateway-host')  + '\\n' +'date: ' +date, 'add');
    var crypto = require('crypto');
    var myKey = 'Key_ThompsonReuters';
    var hmac = crypto.createHmac('hmac-sha256', myKey);
    var data2sign = apim.getvariable('datasign');
    var result = hmac.update(data2sign).digest('base64');
    apim.setvariable('authorisation','Signature keyId="' + apim.getvariable('api-key') + '",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="' + result + '"', 'add');
    apim.setvariable('message.headers.Date', date, 'add');
    apim.setvariable('message.headers.Authorization', apim.getvariable('authorisation'), 'add');
  • haresh.advani
    haresh.advani Newcomer

    Hi @brian.bourgault,

    We have updated the information can you please look into the same and let us know if the information is sufficient for your investigation.

    Thanks,

    Haresh

  • brian.bourgault
    brian.bourgault LSEG

    Hi @haresh.advani,

    Response from development:

    We provide
    the API secrets in plaintext, but using a limited set of ASCII characters that
    can each be converted to single byte values, so a byte array representation of
    the ASCII codepoints in the secret text string is equivalent to the ASCII
    representation of the text.

    If the
    client needs to, they can convert the secret to an array of bytes and represent
    this byte sequence as a hex string, if their cryptography library requires
    this.

    Also, I assume this key is the api secret key (you posted before)

    /NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==

    var myKey =
    'Key_ThompsonReuters';

  • haresh.advani
    haresh.advani Newcomer

    Many Thanks Brian!!!

    Perfect, that answers all my questions. I'm able to retrieve the groups successfully now. The changes that I had to make were:

    1. Use the API secret as plain text

    2. content-type and content-length removed.

  • brian.bourgault
    brian.bourgault LSEG

    Hi @haresh.advani,

    Great, I assumed you were passing the plain text from earlier emails, the root cause of your issue was the target string without the content. Now be sure to check every request pre-request script for every request.

    Brian

  • haresh.advani
    haresh.advani Newcomer

    Cheers and Thanks Brian for the help!

  • brian.bourgault
    brian.bourgault LSEG

    Hi @haresh.advani,

    I posted an example of "How-To" code the Authorization with API secret and Datasign.

    Hope this helps,

    Brian

  • brian.bourgault
    brian.bourgault LSEG

    For other 401 unauthorized errors, consider watching:

    World-Check One API – Overview and Quick Start

Categories