question

Upvotes
Accepted
83 2 8 7

How to generate signature by cURL alone without Postman

I'm trying to access WC1 API via cURL command.
When I use Postman, it responds 200 properly, and using that signature cURL properly responds.
However I'm stuck on generating signature by cURL alone.
Can I get a cURL command sample to generate signature (and timestamp) using my secret access key?

Here's what I tired (using signature generated by Postman) - it works only for 1 minute.

$ curl -X GET \
  https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups \
 -H 'Authorization: Signature keyId="f63fc14f-981f-4bba-95e0-eb65800e8126",algorithm="hmac-sha256",headers="(request-target) host date",signature="xtijpe/hMeEP<removed>=="' \
  -H 'Date: Sun, 04 Aug 2019 07:53:21 GMT' \
world-checkworld-check-one
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
Accepted
83 2 8 7

Thanks @Irfan.Khan
Now I made it in PHP which works fine.

$secret_file = '/var/www/api_secret.txt';


$api_key = "YOUR_API_KEY";
$secret = file_get_contents($secret_file);
$gateway_url = "/v1/";
$gateway_host = "rms-world-check-one-api-pilot.thomsonreuters.com";
$time_gmt = gmdate("D, d M Y h:i:s") . " GMT";


$dataToSign = "(request-target): get " . $gateway_url . "groups\n" . "host: " . $gateway_host . "\n" . "date: " . $time_gmt;


$hmac = base64_encode(hash_hmac('sha256', $dataToSign, $secret, true));


$authorisation = "Signature keyId=\"" . $api_key . "\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date\",signature=\"" . $hmac . "\"";



echo $authorisation;
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@naoto.tatemichi Request you to post the curl command that you used to send the request so that it can help our other developer community members.

Upvotes
4.5k 4 8 8

@naoto.tatemichi,

Thank you for your query.

Can you please share the request headers along with the response headers of the failed API call to investigate on the cause of the Error 401.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thanks @Prabhjyot.Mandla
All those headers are following "-H" in the command.
But now I found either PHP or bash would be easier.

Upvotes
4.2k 8 5 6

@naoto.tatemichi

It would be easier if you write a script file like PHP to generate date and HMAC signature and then use curl library in the script to send your HTTP request.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi @Irfan.Khan
Now I generated the signature by bash:

$ echo -n f63fc14f-981f-4bba-95e0-eb65800e8126 | openssl dgst -sha256 -hmac <secret_key>
(stdin)= 7d4338cfd54768<removed>

Also tried using the signature above to get 401 error. I think I may have failed to calculate signature by date and time.
May I know what's wrong?

$ curl -X GET https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups -H 'Accept: */*' -H 'Authorization: Signature keyId="f63fc14f-981f-4bba-95e0-eb65800e8126",algorithm="hmac-sha256",headers="(request-target) host date",signature="7d4338cfd54768<removed>"' -I

HTTP/1.1 401 Unauthorized X-Application-Context: application Authorization: WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length Transfer-Encoding: chunked Date: Mon, 05 Aug 2019 13:29:56 GMT Server: ""

@naoto.tatemichi

Can you compare the HMAC that you are generating from bash and the HMAC that you generate using the Postman. Obviously the date in Postman should be the same as you have used in Bash. You can edit the pre request script in Postman, specically the "date" variable to the date you have used in bash command.

Also, when you are generating HMAC using bash, you have to make sure you are blending the API secret with the dataTOSign variable. Are you doing this step?

Upvotes
4.2k 8 5 6

@naoto.tatemichi

I see you are using the below command-

<code>echo -n "value"| openssl dgst -sha1 -hmac "key"

Here "value" should be data to sign variable. This is available in the pre request script too.

In pre request of Postman, the dateToSign variable is written in JS.

var dataToSign = "(request-target): get " + environment["gateway-url"] + "groups\n" +
"host: " + environment["gateway-host"] + "\n" +
"date: " + date;

You have to write something that can produces exactly the same format.

Key should be your API secret.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@naoto.tatemichi Following up to see if you were able to resolve the problem.

If yes, kindly share with us so that it helps the community.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.