OAuth, SAML, Query APIs, oh my - Finding the right Cloud integration standard
Join the DZone community and get the full member experience.Join For Free
The article didn't allow space for message examples, but here in this blog I can show an example of the Amazon Query API. This request is generated by a Vordel Gateway, acting as a client in this case. You can see that the request contains an "Authorization" header which is an HMAC signature computed over data including the URL, the timestamp, and the nonce ("number once" - a value which changes with each request, to combat capture-replay attacks). The signature is created using a shared secret key. An advantage of the Query API is that it is *much* smaller than using XML Signature, for example. It is also RESTful, because the request is a regular HTTP POST with the parameters passed as HTTP parameters. In effect it mimics a HTML Form POST. Here is the example below:
GET /ProcessAPIRequest HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Via: 1.1 Dell-PC (Gateway)
Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.