Authentication

Our system employs a multi security approach to safeguard sensitive data and protect against unauthorized access. The security framework consists of three types of authentication mechanisms and implements a gateway white-listing API to enhance security and efficiency. By using different approach in different situation we ensure a highly secure environment for our users and applications.

Token JWT (Acceptance Token, Refresh Token): {version}: null

The first layer of our security system involves Token-based JSON Web Tokens (JWT). This authentication mechanism provides secure access to our system's resources. Upon successful login, users receive an Acceptance Token (Access Token), which they must present with each request to access protected endpoints. These tokens have a limited lifespan to prevent misuse and unauthorized access. When the Access Token expires, users can request a Refresh Token, which allows them to obtain a new Access Token without re-entering their credentials. This approach minimizes the risk of unauthorized access while providing a seamless user experience.

Example of Token API

curl --request POST \
  --url '/token' \
  --content-type :  x-www-form-urlencoded
  --body:    {"Username": "", "Password": "", "Grant_Type": "Password" }

Example of Refresh Token API

curl --request POST \
  --url '/api/Auth/RefreshToken' \
  --content-type :  application/json
  --body:    {"AccessToken": "", "RefreshToken": "" }

HMAC (Hash-based Message Authentication Code): {version}: v3.0

HMAC (Hash-based Message Authentication Code) authentication is a mechanism used to verify the integrity and authenticity of messages exchanged between a client and a server. It involves generating a hash-based signature using a secret key and including this signature in the message headers.

Here's a brief overview of how HMAC authentication works:

  1. Shared Secret Key: Both the client and the server share a secret key beforehand. This key is known only to the client and the server and is used for generating and verifying the HMAC signature.

  2. Message Generation: When the client sends a request to the server, it includes additional headers for HMAC authentication. These headers typically include the timestamp, nonce (a unique identifier), and possibly other request parameters.

  3. HMAC Signature Generation: The client calculates an HMAC signature using a cryptographic hash function (e.g., HMAC-SHA256) and the shared secret key. The signature is generated by hashing the concatenation of the request data (including headers) and the secret key.

  4. Sending the Request: The client sends the request to the server, including the HMAC signature in the request headers.

  5. Server Verification: Upon receiving the request, the server extracts the HMAC signature from the request headers. It then recalculates the HMAC signature using the same algorithm, request data, and the shared secret key.

  6. Signature Comparison: The server compares the recalculated HMAC signature with the one received from the client. If the signatures match, it indicates that the request has not been tampered with and originated from the client with the correct shared secret key.

curl -X GET \
  -H "Authorization: hmacauth $hmac_signature" \
  https://api.example.com/endpoint
PreviousISO 27001

Last updated