Friday, July 8, 2011

OAuth, SAML, Query APIs, oh my - Finding the right Cloud integration standard

I've written an article for SD Times about the proliferation of standards for Cloud security. In the article I mention the Amazon Query API method of authentication, which although not an actual standard, has become something of an "industry standard" for authentication to Cloud-based APIs. It is widely used, not least for Amazon's own APIs of course.

The article didn't allow space for message examples, but here in this blog I can show an example of the Amazon Query API. This request is generated by a Vordel Gateway, acting as a client in this case. You can see that the request contains an "Authorization" header which is an HMAC signature computed over data including the URL, the timestamp, and the nonce ("number once" - a value which changes with each request, to combat capture-replay attacks). The signature is created using a shared secret key. An advantage of the Query API is that it is *much* smaller than using XML Signature, for example. It is also RESTful, because the request is a regular HTTP POST with the parameters passed as HTTP parameters. In effect it mimics a HTML Form POST. Here is the example below:

GET /ProcessAPIRequest HTTP/1.1
Connection: keep-alive
Transfer-Encoding: chunked
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
timestamp: 110708054739159GMT
Nonce: Id-0000013108497d0e-0000000001bed3d1-57
encryption_type: HmacSHA1
client_ref_id: client
Authorization: MGJ4aVdxeTIwWXltNTNSSUIvQW9vT2xOOE1BPQ==
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Via: 1.1 Dell-PC (Gateway)
Host: 127.0.0.1:7071
Content-Type: application/x-www-form-urlencoded

firstname=fname&lastname=lname&id=xyz