Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OAuth, SAML, Query APIs, oh my - Finding the right Cloud integration standard

DZone's Guide to

OAuth, SAML, Query APIs, oh my - Finding the right Cloud integration standard

· Cloud Zone
Free Resource

See how the beta release of Kubernetes on DC/OS 1.10 delivers the most robust platform for building & operating data-intensive, containerized apps. Register now for tech preview.

I've written an article for SD Times about the proliferation of standards for Cloud security. In the article I mention the Amazon Query API method of authentication, which although not an actual standard, has become something of an "industry standard" for authentication to Cloud-based APIs. It is widely used, not least for Amazon's own APIs of course.

The article didn't allow space for message examples, but here in this blog I can show an example of the Amazon Query API. This request is generated by a Vordel Gateway, acting as a client in this case. You can see that the request contains an "Authorization" header which is an HMAC signature computed over data including the URL, the timestamp, and the nonce ("number once" - a value which changes with each request, to combat capture-replay attacks). The signature is created using a shared secret key. An advantage of the Query API is that it is *much* smaller than using XML Signature, for example. It is also RESTful, because the request is a regular HTTP POST with the parameters passed as HTTP parameters. In effect it mimics a HTML Form POST. Here is the example below:

GET /ProcessAPIRequest HTTP/1.1
Connection: keep-alive
Transfer-Encoding: chunked
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
timestamp: 110708054739159GMT
Nonce: Id-0000013108497d0e-0000000001bed3d1-57
encryption_type: HmacSHA1
client_ref_id: client
Authorization: MGJ4aVdxeTIwWXltNTNSSUIvQW9vT2xOOE1BPQ==
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Via: 1.1 Dell-PC (Gateway)
Host: 127.0.0.1:7071
Content-Type: application/x-www-form-urlencoded

firstname=fname&lastname=lname&id=xyz

New Mesosphere DC/OS 1.10: Production-proven reliability, security & scalability for fast-data, modern apps. Register now for a live demo.

Topics:

Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}