For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
Accepted
1 1 1 2

API secret in hex format & Help needed to investigate API logs at your end

It’s a 401 unauthorized response, which most of your customers would have complained. We have done some extensive testing at our end and compared the headers sent by our code and postman (which returns a 200). There is nothing different other than the signature, which is expected to be different for each time the data is signed. The dataTosign values match as well. So this narrows down to the use of API keys in our code.

Header generated by our code: (that returns a 401 unauthorized response)

[{"Date":"Thu, 16 Mar 2017 14:46:12 GMT" Authorization":"Signature keyId=\"a4364e62-e58b-4b64-9c71-faead5417557\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date content-type content-length\",signature=\"4+wzapqhR2CCERy1VJXzHDDl6jdQ939FnqI2NIwQZnM=\""}]

Header in postman: (that returns 200 success):

Date: Thu, 16 Mar 2017 15:10:18 GMT

Authorization: Signature keyId="a4364e62-e58b-4b64-9c71-faead5417557",algorithm="hmac-sha256",headers="(request-target) host date",signature="M2rmA5vek4TmVKEahYQNFWimNDKJdl/qU/elL/28qj8="

The credentials used are:

Key: a4364e62-e58b-4b64-9c71-faead5417557 (this is identical to postman environment variables, and hence will not doubt this value)

API secret: /NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA== (assuming this is clear text and is used as is in postman as a string)

At our end, the technical requirement is to use the secret in hex format preceded by 0x. API secret in Hex format (preceded by 0x): 0x2f4e6f56715748425276323374356165394f75516c4f44555835796f41634a634650385a326e4a6c64426b72735443647168527a477a7272547644394556714c67775472584334784b5a2f4b6866763673684d7741413d3d

Questions: 1.Can you confirm that the API secret we have (/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==) is in clear text format?

2.If no, can you provide the secret in clear text string?

3.If yes, can you please investigate at your end what is causing the 401 response?

world-checkworld-check-oneapierror-401
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

10 Answers

Upvotes
Accepted
3.1k 16 7 7

hi @haresh.advani,

Just a quick look at your code and you've use the wrong line...for the request-target...for GET the line does not include content, so please review the Postman collection Pre-request script and note *exactly* what is required for each GET/PUT/PUSH/DEL/HEAD request

(request-target) host date content-type content-length"

CORRECT: (request-target) host date\",
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @haresh.advani,

Without knowing your environment (we do not support 3rd party SDKs or IDEs) and seeing the full code for the request your assembling, it's difficult to diagnose your issue. Please send me an email with more information, especially the request your are making as the GET/PUT/POST/HEAD/DEL all have different formats and are exacting depending on the request.

Brian

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 1 2

We use an industry standard, security appliance IBM DataPower and this will be your client accessing your API services. The code that signs and base 64 encodes the string is a custom Gateway script which supports ECMAScript, based on Javascript and Jscript.

The Get request our code made returned a 401 unauthorised response from you and the headers for the GET request is here:

Header in our code: (that returns a 401 unauthorized response)

[{"Date":"Thu,
16 Mar 2017 14:46:12 GMT"Authorization":"Signature
keyId=\"a4364e62-e58b-4b64-9c71-faead5417557\",algorithm=\"hmac-sha256\",headers=\"(request-target)
host date content-type content-length\",signature=\"4+wzapqhR2CCERy1VJXzHDDl6jdQ939FnqI2NIwQZnM=\""}] 

The technical requirement at our end is to use the API secret in hex format preceded by 0x.

Can you confirm that the API secret we have (/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==) is in clear text format?

If no, can you provide the secret in clear text or in hex format?

If yes, can you please investigate at your end what is causing the 401 response?

Our GW script code is attached for reference:

apim.setvariable('gateway-host','rms-world-check-one-api-pilot.thomsonreuters.com','add');
apim.setvariable('gateway-url','/v1/','add');
apim.setvariable('api-key','a4364e62-e58b-4b64-9c71-faead5417557','add');
var date = new Date().toGMTString();
apim.setvariable('datasign', '(request-target): get ' + apim.getvariable('gateway-url') + 'groups' + '\\n' + 'host: '+apim.getvariable('gateway-host')  + '\\n' +'date: ' +date, 'add');
var crypto = require('crypto');
var myKey = 'Key_ThompsonReuters';
var hmac = crypto.createHmac('hmac-sha256', myKey);
var data2sign = apim.getvariable('datasign');
var result = hmac.update(data2sign).digest('base64');
apim.setvariable('authorisation','Signature keyId="' + apim.getvariable('api-key') + '",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="' + result + '"', 'add');
apim.setvariable('message.headers.Date', date, 'add');
apim.setvariable('message.headers.Authorization', apim.getvariable('authorisation'), 'add');
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 1 2

Hi @brian.bourgault,

We have updated the information can you please look into the same and let us know if the information is sufficient for your investigation.

Thanks,

Haresh

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @haresh.advani,

Response from development:

We provide the API secrets in plaintext, but using a limited set of ASCII characters that can each be converted to single byte values, so a byte array representation of the ASCII codepoints in the secret text string is equivalent to the ASCII representation of the text.

If the client needs to, they can convert the secret to an array of bytes and represent this byte sequence as a hex string, if their cryptography library requires this.

Also, I assume this key is the api secret key (you posted before)

/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==

var myKey = 'Key_ThompsonReuters';

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 1 2

Many Thanks Brian!!!

Perfect, that answers all my questions. I'm able to retrieve the groups successfully now. The changes that I had to make were:

1. Use the API secret as plain text

2. content-type and content-length removed.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @haresh.advani,

Great, I assumed you were passing the plain text from earlier emails, the root cause of your issue was the target string without the content. Now be sure to check every request pre-request script for every request.

Brian

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 1 2

Cheers and Thanks Brian for the help!

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @haresh.advani,

I posted an example of "How-To" code the Authorization with API secret and Datasign.

Hope this helps,

Brian

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

For other 401 unauthorized errors, consider watching:

World-Check One API – Overview and Quick Start

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea