API Endpoint Security

asvin components expose their services using RESTful API endpoints. They are secured using Jason Web Token(JWT). It is required to obtain a JWT from OAuth server. Only thereafter the endpoints can accessed successfully. The Login API endpoint is used to get JWT from OAuth.

Access Signature

The access_signature used in the The Login API is a hashed-based message authentication code (MAC). It consists of cryptographic hash function (HMAC-SHA256) and secret key. In psuedocode, it can be illustrated as HMAC-SHA256(key, message). Here, message is timestamp+access_key and key is customer_key. So, the access_signature is calculated as

access_signature = HMAC-SHA256(customer_key, timestamp+access_key)

The customer_key and access_key are acquired from RBC Platform. One needs to make a account there. The code block below shows the access_signature generation.

#!/bin/bash
customer_key="my-customer-key"
access_key="my-access-key"
timestamp=$(date +%s)
access_signature=$(echo -n $timestamp$access_key | openssl dgst -sha256 -hmac $customer_key)
echo $access_signature

import hmac
import hashlib
from time import time
customer_key = "my-customer-key"
access_key = "my-access-key"
timestamp = str(math.floor(time()))
access_signature = hmac.new(customer_key, msg=timestamp+access_key, digestmod=hashlib.sha256).hexdigest().upper()
print access_signature

const CryptoJS = require("crypto-js");
const dateNow = new Date();
const customerKey = "my-customer-key";
const accessKey =  "my-access-key";
const timestamp = Math.floor(dateNow.getTime() / 1000);
const accessSignature = CryptoJS.HmacSHA256(timestamp + accessKey, customerKey).toString(CryptoJS.digest);
console.log(accessSignature)