For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
Accepted
1 1 2 3

HMAC test strings and results problem

Hi, I am new to world-check api and trying to follow instructions first to generate the hmac signature. reading /documentation/schema-reference/security.html I found this example:

(request-target): post /v1/cases
host: rms-world-check-one-api.thomsonreuters.com
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
"caseId": "my customer ID",
"name": "John Doe",
"providerTypes": ["WATCHLIST"]
}

with secret "1234" must return DA26D7F5BFF89A100D1A597AA015099FC55DD3130F023E952BFBE3A6949F322A but I am NOT receiving the same result.

I am sending this full string as follows:

ls_message="(request-target): post /v1/cases"+char(10)+"host: rms-world-check-one-api.thomsonreuters.com"+char(10)
ls_message+="date: Tue, 07 Jun 2016 20:51:35 GMT"+char(10)
ls_message+="content-type: application/json"+char(10)+"content-length: 88"+char(10)+"{"+char(10)+" ~"caseId~": ~"mycustomerID~","+char(10)
ls_message+=" ~"name~": ~"John Doe~","+char(10)+" ~"providerTypes~": [~"WATCHLIST~"]"+char(10)+"}"

Can you check what is wrong with the string?

I have tested the HMAC function at https://www.freeformatter.com/hmac-generator.html#ad-output with other strings and results from the function are correct, but with smaller strings. I don't know how to test with \n end of lines there.

Regards

world-checkworld-check-one
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
Accepted
1 1 2 3

Found the solution

Include this header

loo_xmlHTTP.setRequestHeader("Content-Type","application/json")

And use current date time.

Thanks for your help

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @asantibanez,

Please take a look at my answer to this previous question, as I point out, the documentation is incorrect...

Hope this helps,
Brian

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 2 3

Thanks, I used Postman to follow the process and some part is working, at least reaching de HMAC result, but cannot make encode64 work as the examples on SEQ-1a.

I am obtaining from Postman and my software test the same result:

var hash = CryptoJS.HmacSHA256(dataToSign,environment["api-secret"]);
postman.setEnvironmentVariable("hash",hash)

in my example is

487c2b186b9dd6e29455dd1840a1bd57c3725159cad96948b528ba0beb9bbb92

But not the rest of the function

return hash.toString(CryptoJS.enc.Base64);

I am receiving from my software and from

https://www.freeformatter.com/base64-encoder.html#ad-output the same output

NDg3YzJiMTg2YjlkZDZlMjk0NTVkZDE4NDBhMWJkNTdjMzcyNTE1OWNhZDk2OTQ4YjUyOGJhMGJlYjliYmI5Mg==

But postman returns

SHwrGGud1uKUVd0YQKG9V8NyUVnK2WlItSi6C+ubu5I=

Any hint on what to look for

Regards

Alfredo

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @asantibanez,

If the Postman code works without your edits (i.e. out-of-the-box), then it could be a number of items. I suggest you look at my example and follow those steps, you could be just one character off or note that the example uses the Production URL and not the Pilot URL, which means you will not get the same result using Postman with the Pilot URL.

What environment are you developing in?

Brian

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 2 3

I am using

rms-world-check-one-api-pilot.thomsonreuters.com on Postman, please remember that the hmac result is equal, where the URL is used, them trying to convert to base64 is the difference.

let me copy the code I am using

string hmac
HMAC = in_capi.of_Hmac(ls_Algorithm, datatosign, apisecret )
If IsNull( hmac) Then
MessageBox(in_capi.LastFunction + " Failed", &
in_capi.LastErrText, StopSign!)
Return
End If
lblb_hmac64=blob(hmac,encodingansi!)
hmac64=in_capi.of_blob_encode64(lblb_hmac64)

//HERE IS THE PROBLEM, the string returned is different

//If I use the same string and try to encoded to base 64 with the public service

//https://www.freeformatter.com/base64-encoder.html#ad-output

//I receive the same result as this función used above. But is different from postman.

//I have not sent the GET


string authorisation = "Signature keyId=~"" + apikey + "~",algorithm=~"hmac-sha256~",headers=~"(request-target) host date~","
authorisation+="signature=~"" + hmac64 + "~""

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3.1k 16 7 7

Hi @asantibanez,

Here is the corrected documentation to be updated in the next release...

HTTP request example

To illustrate all these requirements, given the following sample HTTP request:

POST /v1/cases HTTP/1.1
Host: rms-world-check-one-api.thomsonreuters.com
Date: Tue, 07 Jun 2016 20:51:35 GMT
Content-Type: application/json
Content-Length: 88

{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}

the signing text used as input to the HMAC function would be:

(request-target): post /v1/cases
host: rms-world-check-one-api.thomsonreuters.com
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}

This example assumes LF line endings (‘\n’/0x0A), and no trailing line ending after the closing bracket in the payload body.

Given the above signing text, if a secret key of “1234” is used, the computed HMAC-SHA256 value would be224B73FC07571E60E8B8D9BAB8107C656D3171F346B96183C665FD4C5330B85D when printed using hex encoding, orIktz/AdXHmDouNm6uBB8ZW0xcfNGuWGDxmX9TFMwuF0= when printed using base64 encoding.

The base64 representation is the value that will be included in the Authorization header. In this example, assuming an API key of 4321, the full HTTP request (with populated Authorization header) that will be sent to the API would then be:

POST /v1/cases HTTP/1.1
Host: rms-world-check-one-api.thomsonreuters.com
Date: Tue, 07 Jun 2016 20:51:35 GMT
Content-Type: application/json
Content-Length: 88
Authorization: Signature keyId="4321",algorithm="hmac-sha256",
   headers="(request-target) host date content-type content-length",
   signature="Iktz/AdXHmDouNm6uBB8ZW0xcfNGuWGDxmX9TFMwuF0="

{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
1 1 2 3

Hi, the base64 problem is solved. I found a link mentioning returns from hmac can be in HEx format, so calculation of base64 must take note of it. Now I have the same base64 result and I can continue with the test.

new problem, unathorized, same endpoint, same headers for date and autorization

My software and postman have the same values for:

datatosign is

(request-target): get /v1/groups
host: rms-world-check-one-api-pilot.thomsonreuters.com
date: Tue, 11 Apr 2017 13:51:28 GMT

autorisation is

Signature keyId="6f23c447-b6d8-4291-acda-a5f7e8fb48c3",algorithm="hmac-sha256",headers="(request-target) host date",signature="pBFw2eDXR2Npi18jImj+o9Mn/leo/OsDn8MXlh0VlSA="

dates is

Tue, 11 Apr 2017 13:51:28 GMT

endpoint is

https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups

Call is this way

OleObject loo_xmlhttp
long ll_status_code
loo_xmlhttp = CREATE oleobject
loo_xmlhttp.ConnectToNewObject("Msxml2.XMLHTTP.6.0")
loo_xmlhttp.open ("GET", requestendpoint, false)
loo_xmlHTTP.setRequestHeader("Authorization",authorisation)
loo_xmlHTTP.setRequestHeader("Date",dates)
loo_xmlhttp.send() ls_status_text = loo_xmlhttp.StatusText
ll_status_code = loo_xmlhttp.Status

I have debugged and checked every variable.

Any hint? some other header missing?

Is there a way that Thomson Reuters can debug my session or verify if something is been sent incorrectly.

Regards

Alfredo

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea