Request Signature Authentication

Basic Concepts

  • Account Key Secret: Used to mark developers for a way to see accounts key in the generate new cloud key diagram in QuickStart
  • App Key, App Secret: Used to mark developer's App; how to get them is described in Quick Start Generating a New Cloud Key
  • Signature: Verifies user identities based on the digital signatures computed by access and secret keys, as well as user requests.

Note When describing the signature algorithm, we do not differentiate between Account Key and App Key, which are collectively referred to as Access Keys, and we do not differentiate between Account Secret and App Secret, collectively referred to as as Secret Keys.

Authentication Process Based on Signatures

  1. Generate the HTTP request to be sent to FDS;
  2. Use Access Key and Secret Key to properly generate request content and compute the signature;
  3. Combine the computed signature and Access Key in the "Authorization" header of the HTTP request and send the request to FDS;
  4. FDS receives the request and parses the Access Key and corresponding signature from the "Authorization" header;
  5. FDS gets the corresponding Secret Key with the parsed Access Key;
  6. FDS uses the same signature algorithm to compute the signature and obtain the service-end signature.
  7. FDS compares the service-side signatures and user requests in the resolution of the signature if the authentication is the same throughout; otherwise the authentication does not pass.

Signature Algorithm

The signature algorithm is the core of signature authentication; the following is a detailed description of the signature algorithm:

HTTP Header Signature Format:

"Authorization: Galaxy-V2" + " " + Access Key + ":" + Signature;

Signature Computing:

Signature = Base64(Hmac-Sha1(Secret Key, StringToSign));

The Structure of a Signature String (StringToSign):

StringToSign =
HttpMethod + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
CanonicalizedHeaders +
CanonicalizedResource;

Canonicalized Headers Structure:

Users can use the "x-xiaomi-" method to pass the custom header to FDS; Canonicalized Header refers to the standardized user-defined headers. The normalization process is as follows::

  1. Convert all headers to lowercase;
  2. Sort headers by key in alphabetical order;
  3. Merge the headers with their matching keys, using the ";" between multiple values to separate them;
  4. Connect the above string to produce Canonicalized Headers.

Canonicalized Resource Structure

Canonicalized Resource=
The relative URI path + 
SubResource of the URI (ACL etc.) sorted in alphabetical order and concatenated with "&"

Language Implementation References

  • Android/Java: com.xiaomi.infra.galaxy:galaxy-fds-core:3.0.8 com.xiaomi.infra.galaxy.fds.auth.signature.Signer
  • c++
  • golang
  • iOS
  • php
  • python

results matching ""

    No results matching ""