Customer Identity (CIAM)
Appendix
# Signature Verification Instructions
To enable third-party applications to confirm that event notifications originate from IDaaS, when IDaaS pushes events to the enterprise application callback service, the request body includes a request signature identified by the parameter sign. Third-party applications need to verify the correctness of this parameter. The verification steps are as follows:
- Calculate the signature: The signature is composed of five parts: the signature key, Nonce value, timestamp, event type, and message body, connected by
&. The HMAC-SHA256+Base64 algorithm is used for encryption. - Compare the calculated signature
newSignwith the request parametersign. If they are equal, the verification passes. - The third-party application returns the response message format as required.
Example as follows:
String message = nonce + "&" + timestamp + "&" + eventType + "&" + data;
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(签名秘钥.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
mac.init(secretKey);
String newSign = Base64.getEncoder().encodeToString(mac.doFinal(message.getBytes(StandardCharsets.UTF_8)));
if (!newSign.equals(sign)) {
response.setStatus(400);
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# Data Decryption Instructions
To ensure data is not leaked or stolen during transmission, IDaaS encrypts the data when transmitting it. Third-party applications need to decrypt the data after obtaining it. The decryption steps are as follows:
Perform BASE64 decoding on the ciphertext.
Use the AESKey for decryption.
Example as follows:
byte[] encryptStr = Base64.getDecoder().decode(data);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
SecretKeySpec secretKey = new SecretKeySpec(加密密钥.getBytes(StandardCharsets.UTF_8), "AES");
cipher.init(2, secretKey);
byte[] bytes = cipher.doFinal(encryptStr);
String dataStr = new String(bytes, StandardCharsets.UTF_8);
1
2
3
4
5
6
2
3
4
5
6