Authorization Header
In order to access any features of the MyPreferences WebAPI services, an authorization field must be included in the HTTP Header request regardless of the nature of the request. The authorization field must also include the proper PossibleNow authorization scheme, as well as the proper authorization parameters, which are driven by the type of Scheme selected. As per the RFC 7235, the Authorization header must conform to the following format with the scheme and parameters being separated by a space.
AUTHORIZATION: <scheme> <parameters>
PossibleNow Authorization Schemes
Currently there are only two scheme types and one available scheme identifier for authorization. Future schemes may be added to address any weaknesses in the Authorization header by adding or removing additional parameters. The authorization scheme types allow for a keyed hash and un-keyed hash. It is highly recommended that the keyed hash scheme be used whenever possible as it is more secure. Please note that the authorization scheme is case insensitive.
- Un-keyed Hash Scheme: SchemeIdentifier-CryptoHashIdentifier
- Keyed Hash Scheme: SchemeIdentifier-HMAC-CryptoHashIdentifier
An example of each of the two scheme types:
- Un-keyed Hash Scheme: PNAUTHINFO3-SHA256
- Keyed Hash Scheme: PNAUTHINFO3-HMAC-SHA256
The SchemeIdentifier drives and defines the authorization process and parameters. Each available scheme identifier will be addressed in the following sections.
The CryptoHashIdentifier is the name of the hash algorithm that is used to generate the signature parameter in all of the scheme authorization parameters. The following hash algorithms are currently available:
- SHA256
- SHA384
- SHA512