The authorization HTTP request header field expected from clients is:
MPA [API Key ID]:[signature]
MPA (Media Portal Authentication) is the authentication scheme and signature is a value that is properly constructed as described below.
If an accept header is set in the request, the only valid value is text/XML. Any other value will receive a 406 response.
This signature is constructed in the form of a RFC2104 HMAC-SHA1 digest. Create a string as follows:
[Date ] + “\n” + [RelativePath] + “\n” + [Content-Type] + "\n" + [HTTP-Verb] + “\n” + [Content-MD5]
- [Date]—value of the Date request header field formatted as, for example, Wed, 29 Apr 2015 +0000 using Java SimpleDateFormat, use: "EEE, dd MMM yyyy HH:mm:ss +0000" Java SimpleDateFormat using Locale.US), using Locale.US for the current UTC time. (See sample code for examples.)
- “\n”—a line feed
- [URI or RelativePath]—path of the request including request scope if applicable (access group, service, network IDs). The RelativePath should include the first forward slash (/) but should not include query string parameters. Examples:
- [Content-Type]—value of the Content-Type request header field. For example:
- [HTTP-Verb]—HTTP method used for the request (e.g. “GET”, “PUT”, “POST”, “DELETE”).
- [Content-MD5] (optional)—value of the Content-MD5 request header field, an MD5 digest of the request body. See RFC 2616 Section 14.15. If this request header is set, then it must be included in the signature string.
Encode this string as UTF8, construct an HMAC-SHA1 digest (using the secret), then encode the result in Base64. The output of these steps is the signature. (For implementation examples, see sample code.)