Skip to main content

GUEST/IDM/CONNECT

Authentication

Authentication to the PublicAPI is done via a method called Shared Access Signature (SaS). Developed by Microsoft, this method enables you to grant clients access to resources in your storage account, without sharing your access keys. When you give a sender or client a SaS token, they don’t have the key directly, and they cannot reverse the hash to obtain it.

For further information on the SaS utilization refer to the IDM > Configuration > Shared Access Signatures section of this guide

Warning

If you change the primary key in the policy, any Shared Access Signatures created from it is invalidated.

Warning

It is advised that Customers do not use the Default token. As the default token is shared with the Web API token for CONNECT and GUEST Integrations to Symmetry.

Example
POST https://<domain>.symmetry.net
Content-Type: application/json
Authorization: SharedAccessSignature sr=https%3A%2F%2F<your-subdomain>.symmetry.net&sig=<yoursignature from code above>&se=1438205742&skn=KeyName
ContentType: application/atom+xml;type=entry;charset=utf-8

1SharedAccessSignature sig=<signature-string>&se=<expiry>&skn=<keyName>&sr=<URL-encoded-resourceURI>

  • se - Token expiry instant. Integer reflecting seconds since the epoch 00:00:00 UTC on 1 January 1970 (UNIX epoch) when the token expires

  • skn - Name of the authorization rule

  • sr - URI of the resource being accessed

  • sig - Signature

  • cid - Client Id if subdomains are not being used

private string CreateSasToken(string topic, string keyName, string key, TimeSpan? ttl = null)
{
  if (!ttl.HasValue) ttl = TimeSpan.FromDays(500);
  var uri = GetUri(topic);
  //Set token lifetime to 8 hours
  var tokenExpirationTime = DateTimeOffset.Now.ToUnixTimeSeconds() + ttl.Value.TotalSeconds;

  string stringToSign = uri.UrlEncode() + "\n" + tokenExpirationTime;
  HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));

  string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
  string token = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
      uri.UrlEncode(), signature.UrlEncode(), tokenExpirationTime, keyName);

  return token;
}
In this section: