![]() The server needs to check if the signature is valid, by creating the same signing string, looking up the public key in the registry and then checking if the signature in the request is indeed correct. ![]() These headers and their values are concatenated in a signing string, that is signed with the private key, the result being the signature that is also sent in the headers, along with the keyId and the other headers used for the signature. A request has some headers: a digest of the body (sha256 hash), the host, date, x-request-id (random guid). Every partner has a private and public key, the public keys are available in a registry with a keyId. Every call must be signed with RSA-SHA256. I'm working on an implementation of EWP (Erasmus Without Papers), a set of API's for communication between universities world wide.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |