1

To generate an authentication header for an api connection, my code should follow these steps:

  1. Create a string of the form [unique]:[apikey].
  2. Convert string from step 1 to a byte array using UTF-8 encoding.
  3. Compute the SHA-256 hash for the byte array from step 2.
  4. Base64 encode the byte array computed in step 3; this string will be authentication key.

As far as I understand, strings in php are byte arrays, so my initial method looks like the following.

public function generateAuthKey()
{
    $unique = uniqid(); # unique string
    $string = $unique.':'.$this->apiKey; # step 1
    $string = utf8_encode($string); # step 2 ?
    $hash = hash('sha256', $string); # step 3
    $base64 = base64_encode($hash); # step 4

    return $base64;
}

My application which tries to connect using this auth key will receive a 403 error.

Does my code above complete the required steps (and perhaps there is an error in my api key) or is there some other way in php of following the steps to create the auth key?

Improve this question
1

1 Answer 1

Reset to default
6

Yes, strings in PHP are already byte arrays. And unless your $string contains any non-ASCII characters, it's also already valid UTF-8 (UTF-8 is a superset of ASCII); so you can skip the "encode as UTF-8" step.

Likely the algorithm is expecting the output of the hash to be binary, which you're then supposed to convert to base 64. By default hash returns hex values, not binary. For that you need to set its 3rd parameter. In summary:

$unique = uniqid();
$string = $unique . ':' . $this->apiKey;
$hash   = hash('sha256', $string, true);
$base64 = base64_encode($hash);

Of course, what you're supposed to do with $unique I don't know. Likely you're supposed to send that value together with the request as well, otherwise there's no way the server can validate the hash.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

yes, unique and apikey are other headers (which didn't really add anything to question). adding the third parameter to the hash function made this work; many thanks @deceze.
also, of course, your name came up in the comments in the official docs when reading about this and related encodings for what i'm working on...
Just for reference, this is the way Expedia is validating it's API Authentication.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.