Appendix
Signature Verification Description
To allow third-party applications to confirm that event pushes come from IDaaS, when IDaaS pushes events to the enterprise application callback service, the request body contains a request signature identified by the parameter sign. The third-party application needs to verify the correctness of this parameter. The verification steps are as follows:
- Calculate the signature: The signature calculation consists of 5 parts: signature secret key, nonce value, timestamp, event type, and message body, connected with
&. It is encrypted using the HMAC-SHA256 + Base64 algorithm. - Compare the calculated signature
newSignwith the request parametersign. If they are equal, the verification passes. - The third-party application returns the response message format as required.
Example:
java
String message = nonce + "&" + timestamp + "&" + eventType + "&" + data;
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(signatureSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
mac.init(secretKey);
String newSign = Base64.getEncoder().encodeToString(mac.doFinal(message.getBytes(StandardCharsets.UTF_8)));
if (!newSign.equals(sign)) {
response.setStatus(400);
}Data Decryption Description
To ensure that data is not leaked or stolen during transmission, IDaaS encrypts data during transmission. After receiving the data, the third-party application needs to decrypt it. The decryption steps are as follows:
BASE64 decode the ciphertext.
Decrypt using AESKey.
Example:
java
byte[] encryptStr = Base64.getDecoder().decode(data);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec secretKey = new SecretKeySpec(encryptionKey.getBytes(StandardCharsets.UTF_8), "AES");
cipher.init(2, secretKey);
byte[] bytes = cipher.doFinal(encryptStr);
String dataStr = new String(bytes, StandardCharsets.UTF_8);