Signing IRB Exchange Requests

This section explains how to create a singature and add it to a request.

Topics

• What signing looks like in a request
• Summary of signing steps
• Step 1: Create a canonical request
• Step 2: Create the signature with a private key
• Step 3: Add the signing information to the request

What signing looks like in a request

The following example shows what an HTTPS request might look like as it is sent from a client system to the IRB Exchange API without any signing information:

GET https://irbexchange.huronsoftware.com/containers HTTP/1.1
Host: irbexchange.huronsoftware.com
User-Agent: Huron.IrbExchange/1.0.0
Huron-IrbX-Date: 20170227T054205Z
Huron-IrbX-Request-Id: 0faf4efc977447d797a0d7c01546f53c

After completing the signing task, the authentication information is added as an HTTP header.

Authorization header

The authentication information is added to the request with an Authorization header. Although the HTTP header is named Authorization, the signing information is used for authentication to establish who the request came from.

The Authorization header includes the following information:

• Organization credential (IRB Exchange ID)
• List of signed headers
• Calculated signature. The signature is based on the request information and the private key of the organization. The signature confirms the identity of the organization.
• Hash algorithm used to compute the signature.

The following example shows what the preceding request might look like after creating a signature and adding it to the request in the Authorization header:

GET https://irbexchange.huronsoftware.com/containers HTTP/1.1
Host: irbexchange.huronsoftware.com
User-Agent: Huron.IrbExchange/1.0.0
Huron-IrbX-Date: 20170227T054205Z
Huron-IrbX-Request-Id: 0faf4efc977447d797a0d7c01546f53c
Authorization: IRBX Credential=2c4741ebb68f47cd847cebbc1d7942fb, HashAlgorithm=SHA256, SignedHeaders=Host;Huron-IrbX-Date;Huron-IrbX-Request-Id, Signature=RuVDsj5MAfyAguZUxY+BO/0J6eXmIGAnF+/y1u3+63plU/i8Elwb1SsjIO48o/8/hj9ZDmWcvLMCqJY5L3F5Gd7NHu7dvtm4WjyIP/WrfnYgg906nmobCleqqsM9PHeOG7l0ZIETfo1+kT5n/oqmv/BOud5gIu/ILYvx8c4tET5N92lj0eU/kia06pjhl4yD7uGLbGQZ6ulbP79VAte3REfiqBm0x7V2vv/iePvdAT9chS8CDvHAD8RbDogw9dctfdDnYd5PU14pqIKIkE8dil/6aFtAinBYgb/6bX7XdcwRDYRy7lhnQKacOVey+GaYSyFfcxT4njCdiu7AEZD1EQ==

Summary of Signing Steps

To create a signed request, complete the following:

1. Create a canoncial request - Arrange the contents of your request (host, headers, query string, etc.) into a standard (canonical) format. The canonical request is used as an input for a hash function.
2. Create the signature with a private key - Encrypt the hash value using a private key.
3. Add the signing information to the request - After calculating the signature, add it to the HTTP Authorization header.