API Endpoint Security¶
asvin components expose their services using RESTful API endpoints. They are secured using Jason Web Token(JWT). It is required to obtain a JWT from OAuth server. Only thereafter the endpoints can accessed successfully. The Login API endpoint is used to get JWT from OAuth.
Device Signature¶
The device_signature
used in the The Login API is a hashed-based message authentication code (MAC). It consists of cryptographic hash
function (HMAC-SHA256) and secret key. In psuedocode, it can be illustrated as HMAC-SHA256(key, message)
. Here, message is timestamp+device_key
and key is customer_key
. So, the
device_signature
is calculated as
device_signature = HMAC-SHA256(customer_key, timestamp+device_key)
The customer_key and device_key are acquired from Customer Platform. One needs to make a account there. The code block below
shows the device_signature
generation.
#!/bin/bash
customer_key="my-customer-key"
device_key="my-device-key"
timestamp=$(date +%s)
device_signature=$(echo -n $timestamp$device_key | openssl dgst -sha256 -hmac $customer_key)
echo $device_signature
import hmac
import hashlib
from time import time
customer_key = "my-customer-key"
device_key = "my-device-key"
timestamp = str(math.floor(time()))
device_signature = hmac.new(customer_key, msg=timestamp+device_key, digestmod=hashlib.sha256).hexdigest().upper()
print device_signature
const CryptoJS = require("crypto-js");
const dateNow = new Date();
const customerKey = "my-customer-key";
const deviceKey = "my-device-key";
const timestamp = Math.floor(dateNow.getTime() / 1000);
const deviceSignature = CryptoJS.HmacSHA256(timestamp + deviceKey, customerKey).toString(CryptoJS.digest);
console.log(deviceSignature)