|
| 1 | +--- |
| 2 | +title: Authentication |
| 3 | +description: Authentication |
| 4 | +--- |
| 5 | + |
| 6 | +# Authentication |
| 7 | + |
| 8 | +In the Settle API different authentication levels (auth levels) can be achieved depending on the authentication method being used. In the [API Reference](/api/merchant/) the required level for each endpoint in the API is given. A list is given here of the auth levels in the Settle API, ordered from lowest to highest level: |
| 9 | + |
| 10 | +1. OPEN _(no authentication required)_ |
| 11 | +2. [SECRET](#authentication-using-secret) |
| 12 | +3. [KEY](#authentication-using-rsa-signature) |
| 13 | + |
| 14 | +When authenticated with a particular auth level, the client is also authorized for endpoints requiring a lower auth level. E.g. if authenticated with auth level [KEY](/guides/authentication/#authentication-using-rsa-signature), endpoints requiring [SECRET](/guides/authentication/#authentication-using-secret) or OPEN are also accessible. |
| 15 | + |
| 16 | +## Required Request Headers |
| 17 | + |
| 18 | +Any request to the Settle API requires the following request headers: |
| 19 | + |
| 20 | +| X-Auka-Merchant: | This header should contain the Settle ID of the merchant as returned in the `id` field of the [`merchant`](https://developer.settle.eu/handlers.html#get--merchant--merchant_id-- 'GET /merchant/<merchant_id>/') endpoint. | |
| 21 | +| X-Auka-User: | The ID (username) of the user/client doing the request on behalf of the merchant. Users are created by the merchant through the Self Service Portal or by the integrator using the `user` endpoint. Each user has is an ID locally unique for the merchant and is assigned a shared secret and/or a RSA public key that is used for authentication. | |
| 22 | +| Authorization: | The value of this field depends on what kind of authentication scheme is being used. Currently the supported schemes are _SECRET_ and _RSA-SHA256_. The general form of this header is: `Authorization: <auth_scheme> <auth_data>` | |
| 23 | +| X-Auka-Integrator: | Only to be used by integrators acting as a proxy on behalf of merchant client, in which case it replaces the **X-Auka-User** header. The value of this field is the ID issued to the integrator by Settle. When this header is used only authentication using RSA signatures is allowed (not secret) and Settle will check the signature against the public key of the integrator. | |
| 24 | + |
| 25 | +::: tip NOTE |
| 26 | +When using the Settle testbed environment, an **X-Testbed-Token** header is also required. The value of this header is the testbed token you received via email when activating your testbed account. It looks like: |
| 27 | + |
| 28 | +`s_Qu1gkYsZUvK-RvO43Ij02CYV-3wyMp5uUn1AodymQ` |
| 29 | +::: |
| 30 | + |
| 31 | +::: tip NOTE |
| 32 | +The **X-Auka-Integrator** header MUST NOT be used unless the merchant clients are communicating _through_ a server, controlled by the integrator, acting as a proxy. If a client is using a direct connection to Settle, even though the integrator owns the client and may control it through some other channel, it MUST use merchant user credentials and the **X-Auka-User** header. |
| 33 | +::: |
| 34 | + |
| 35 | +## Authentication using SECRET |
| 36 | + |
| 37 | +- Auth Level: SECRET |
| 38 | + |
| 39 | +Authentication using a shared secret (JSON Web Token) is the simplest authentication method supported by Settle. This method requires an authorization header on the following form: |
| 40 | + |
| 41 | +`Authorization: SECRET <secret>` |
| 42 | + |
| 43 | +Below is an example of a request where user **POS1** is doing an **HTTP POST** to **https://sever.test/some/resource/** on behalf of a merchant whose ID is **T9oWAQ3FSl6oeITuR2ZGWA**. The secret is **MySecretPassword** and the request body is `{"text": "Hello world"}`. |
| 44 | + |
| 45 | +```http |
| 46 | +POST /some/resource/ HTTP/1.1 |
| 47 | +HOST: server.test |
| 48 | +Accept: application/vnd.mcash.api.merchant.v1+json |
| 49 | +Content-Type: application/json |
| 50 | +X-Auka-Merchant: T9oWAQ3FSl6oeITuR2ZGWA |
| 51 | +X-Auka-User: POS1 |
| 52 | +Authorization: SECRET MySecretPassword |
| 53 | +
|
| 54 | +{"text": "Hello world"} |
| 55 | +``` |
| 56 | + |
| 57 | +## Authentication using RSA signature |
| 58 | + |
| 59 | +- Auth Level: KEY |
| 60 | + |
| 61 | +Settle generates and validates according to the _PKCS#1 v1.5_ (RSASSA-PKCS1-v1_5) standard described in **[RFC 3447](http://tools.ietf.org/html/rfc3447.html)**. The hash function used in the signing procedure is [SHA256](https://en.wikipedia.org/wiki/SHA-2). |
| 62 | + |
| 63 | +### Headers |
| 64 | + |
| 65 | +The RSA authentication method requires two extra headers: |
| 66 | + |
| 67 | +#### X-Auka-Timestamp |
| 68 | + |
| 69 | +> The current UTC time. The time format is `YYYY-MM-DD hh:mm:ss`. |
| 70 | +
|
| 71 | +#### X-Auka-Content-Digest |
| 72 | + |
| 73 | +> The _base64_ encoded hash digest of the request body. If the body is empty, the hash should be computed on an empty string. The value of the header should be on the form `<algorithm (uppercase)>=<digest value>`. So, if the SHA256 hashing algorithm is used on a request with empty body, the header will be: `X-Auka-Content-Digest: SHA256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=` Currently only the SHA256 hashing algorithm is supported. |
| 74 | +
|
| 75 | +For RSA authentication the authorization header looks like this: |
| 76 | + |
| 77 | +```http |
| 78 | +Authorization: RSA-SHA256 <rsa_signature> |
| 79 | +``` |
| 80 | + |
| 81 | +The string that is to be signed (the signature message) is constructed from the request in the following manner: |
| 82 | + |
| 83 | +``` |
| 84 | +<method>|<url>|<headers> |
| 85 | +``` |
| 86 | + |
| 87 | +Here, `method` is the HTTP method used in the request, `url` is the full url including protocol and query component (the part after `?`) but without fragment component (The part after `#`). The `scheme name` (typically https) and `hostname` components are always lowercase, while the rest of the `url` is case sensitive. The `headers` part is a querystring using header names and values as key-value pairs. So, the constructed string will be of the form: |
| 88 | + |
| 89 | +``` |
| 90 | +name1=value1&name2=value2... |
| 91 | +``` |
| 92 | + |
| 93 | +::: tip In addition the following requirements apply: |
| 94 | + |
| 95 | +1. Headers are sorted alphabetically. |
| 96 | +2. All header names must be made uppercase before constructing the string. |
| 97 | +3. Headers whose names don't start with **X-Auka-** are excluded. |
| 98 | + ::: |
| 99 | + |
| 100 | +Reusing the example in the previous section, a typical HTTP request will look like this: |
| 101 | + |
| 102 | +```http |
| 103 | +POST /some/resource/ HTTP/1.1 |
| 104 | +HOST: server.test |
| 105 | +Accept: application/vnd.mcash.api.merchant.v1+json |
| 106 | +Content-Type: application/json |
| 107 | +X-Auka-Merchant: T9oWAQ3FSl6oeITuR2ZGWA |
| 108 | +X-Auka-User: POS1 |
| 109 | +X-Auka-Timestamp: 2013-10-05 21:33:46 |
| 110 | +X-Auka-Content-Digest: SHA256=oWVxV3hhr8+LfVEYkv57XxW2R1wdhLsrfu3REAzmS7k= |
| 111 | +Authorization: RSA-SHA256 p8+PdS5dDa6Ig46jNQhE8qQR+J8rRgX77cyXN3EIvUqpQ2lB8Cz1bcUF6lwvdVbz4NSUIQD/OCT8X2WtqRNbPW+5DDzGC1TytiV6p0EXiMOAl7s6kioHnVGaiCSHyfO6ZYB7ubtcMtUE0+7OEUcPeaqSHeL4wwUkO8W0+euwGsfwl9gOoQHBFIOh0bh8z3JNGhUeIZM8fvrk+8kj/s2A70IBvUOLwcFeP8uf6gTi1fz7BtgJ5rHmfvn9HvrsyO53/nx2mXZdAap4MfOZa6dp0ievZ5kU1vEfB2R6f4uPHzKLnaePlDOQMTk+uHlxU0ChkSqenbgJvpGuaOGiQekwsA== |
| 112 | +
|
| 113 | +{"text": "Hello world"} |
| 114 | +``` |
| 115 | + |
| 116 | +In this case the header part of the signature message is: |
| 117 | + |
| 118 | +```http |
| 119 | +X-AUKA-CONTENT-DIGEST=SHA256=oWVxV3hhr8+LfVEYkv57XxW2R1wdhLsrfu3REAzmS7k=&X-AUKA-MERCHANT=T9oWAQ3FSl6oeITuR2ZGWA&X-AUKA-TIMESTAMP=2013-10-05 21:33:46&X-AUKA-USER=POS1 |
| 120 | +``` |
| 121 | + |
| 122 | +and complete signature message is: |
| 123 | + |
| 124 | +```http |
| 125 | +POST|http://server.test/some/resource/|X-AUKA-CONTENT-DIGEST=SHA256=oWVxV3hhr8+LfVEYkv57XxW2R1wdhLsrfu3REAzmS7k=&X-AUKA-MERCHANT=T9oWAQ3FSl6oeITuR2ZGWA&X-AUKA-TIMESTAMP=2013-10-05 21:33:46&X-AUKA-USER=POS1 |
| 126 | +``` |
| 127 | + |
| 128 | +The key-pair that was used for generating the signature in this example can be downloaded here: [`public`](https://developer.settle.eu/_downloads/sample-pubkey.pem), [`private`](https://developer.settle.eu/_downloads/sample-privkey.pem) |
| 129 | + |
| 130 | +The Python script that was used for generating the signature and `X-Auka-Content-Digest` header can be downloaded [`here`](https://developer.settle.eu/_downloads/rsa_example.py) |
| 131 | + |
| 132 | +## Verifying signatures from Settle |
| 133 | + |
| 134 | +Whenever Settle is sending callbacks to the client over HTTPS the request from Settle is signed using the same RSA method as described in the above _[section](/guides/authentication/#authentication-using-rsa-signature)_. The client should authenticate callbacks from Settle by verifying the signature given by Settle in the Authorization header of the request. The public key used by Settle in test environments can be downloaded [`here`](https://developer.settle.eu/_downloads/testserver-pub.pem). The public key for the production environment can be obtained by contacting Settle. |
0 commit comments