For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
Accepted
1 1 1 1

Is HMAC signature value in API documentation correct

1631030059931.pngAuthentication documentation Dear Sir or Madam,

I'm preparing integration to pilot environment for World Check One API and am thus studying precisely your documentation.

My question treats the HMAC signature using SHA256 as hash function. When I presumably implement the identical sample plain text signature message from printscreen (using 0x0A aka LF as line ending also in formatted JSON output) and use secret "1234" as key a different HMAC result is being generated.

Therefore my question is:
Is the HMAC result value in Base64 encoding Iktz/AdXHmDouNm6uBB8ZW0xcfNGuWGDxmX9TFMwuF0= mentioned in the documentation definitely correct?

When I use e.g. the online HMAC generator https://www.devglan.com/online-tools/hmac-sha256-online I get the same result as when I implement the message with specified secret key in a small C#.NET sample code.
In my case the HMAC result (Base64 encoded) is: BNxFcG6hrSEtsbuIuVhJQ6OCRvLCd+8rEslRI6Jj6M0=

My idea was to write an automated test verifying a correct HMAC signature prior to directly start sending requests to the pilot API. But in this case, I must know the expected correct result of HMAC signature.

A similar question was posted in https://community.developers.refinitiv.com/questions/74536/invalid-example-hmac-string.html

I'm kindly expecting your assistance and thank you in advance for your efforts.

Kind regards

world-checkworld-check-one
1631030059931.png (41.8 KiB)
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@Markus Vetsch

Hi,

Thank you for your participation in the forum.

Is the reply below satisfactory in answering your question?

If yes please click the 'Accept' text next to the reply. This will guide all community members who have a similar question.

Otherwise please post again offering further insight into your question.

Thanks,

AHS

Please be informed that a reply has been verified as correct in answering the question, and has been marked as such.

Thanks,
AHS

I disagree with the answer marked as accepted.

The HMAC value in your API documentation based on the sample presented is wrong, which has been confirmed by @Mehran Khan by e-mail.

Please see answer below:

Hello Markus,

Quick update, so our content team hasn’t changed the HMAC value in the documentation and it is incorrect so is the content length which should be 89.

Below is an excerpt from the test that I had conducted

1631786578638.png

1631786578638.png (266.6 KiB)
Upvotes
Accepted
1.3k 4 1 2

@Markus Vetsch

With the help of the reference code example we were able to resolve this issue by addressing the below points:

  • Set content type and content length in HTTP POST-Request (not only in signature data)
  • Set JSON payload flat without line breaks etc., i.e. not indented

Marking this question as accepted, as mentioned feel free to reach out if you need any further assistance.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
1.3k 4 1 2

@Markus Vetsch

The host mentioned in the security document is an old host the latest host utilized it "api-worldcheck.refinitiv.com", but the underlying mechanism of hmac generation is correct and hmac value also depends on the date parameter, so a request sent now and a request sent next second will have a different hmac value.

As you can see below script from Postman that is used in a simple "Get my top-level groups API", here we have declared the values of attributes like host,url, API key etc in the Postman environment, but if you see the dataToSign value date is one of the attributes contributing to it which inturn goes into hmac.


However, I will follow up with the concerned team to have the host updated to reflect to the latest host in the documentation.

function generateAuthHeader(dataToSign) {
var hash = CryptoJS.HmacSHA256(dataToSign, environment["api-secret"]); return hash.toString(CryptoJS.enc.Base64);}
var date = new Date().toGMTString();
var dataToSign = "(request-target): get " + environment["gateway-url"] + "groups\n" + "host: " + environment["gateway-host"] + "\n" + "date: " + date;
var hmac = generateAuthHeader(dataToSign);
var authorisation = "Signature keyId=\"" + environment["api-key"] + "\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date\",signature=\"" + hmac + "\"";
postman.setEnvironmentVariable("authorisation", authorisation);postman.setEnvironmentVariable("currentDate", date);
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi @Mehran Khan,

thank you very much for your immediate response.

I'm fully aware of the fact, the the timestamp in signature data (in fact each and every byte) is relevant for the hash generation. In order to receive an idential HMAC, I have to use the identical timestamp - generally said all identical contents - from your example.

This is in fact exactly what I did. The timestamp in my sample is Tue, 07 Jun 2016 20:51:35 GMT.

I don't want to exclude a mistake in my implementation (C#.NET on framework .NET 5). However, I receive with two different HMAC SHA256 generators twice the same HMAC using the identical signature data (host "api-worldcheck.refinitiv.com"), timestamp as mentioned, API key ("4321") and API secret ("1234") as mentioned in your sample.

Could you please check and let me know? If it facilitates your analysis, I could provide you with my HMAC implementation and the corresponding unit test.
If this turns out to be a mistake on my side, I have to fix it prior to send any request to the pilot environment.

Your support is very much appreciated.

Kind regards,

Markus

Upvotes
1.3k 4 1 2

@Markus Vetsch

May I propose a quick meeting on Monday to go through this? Tomorrow is a public holiday here so let us know your availability for Monday we will happy to jump on a quick call and discuss this in length with you.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@Mehran Khan

Sure, I'm available on Monday Sept 13 from 10-12 (8-10 GMT) as well as from 15-18 (13-16 GMT).

@Markus Vetsch

Sure, I have sent out an invite for Monday 8:30 AM GMT.

Speak to you on the meeting.

Upvote
1.3k 4 1 2

@Markus Vetsch

I have unaccepted the answer, we will continue our debugging over the email and update the solution and accept it here once we reach there.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.