vinyldns/api/auth-mechanism.html

<html><head><title>VinylDNS: Authentication</title><meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="author" content="VinylDNS" /><meta name="description" content="DNS Management Platform" /><meta name="og:image" content="/img/poster.png" /><meta name="og:title" content="VinylDNS: Authentication" /><meta name="og:site_name" content="VinylDNS" /><meta name="og:url" content="http://vinyldns.io" /><meta name="og:type" content="website" /><meta name="og:description" content="DNS Management Platform" /><link rel="icon" type="image/png" href="/img/favicon.png" /><meta name="twitter:title" content="VinylDNS: Authentication" /><meta name="twitter:image" content="http://vinyldns.ioimg/poster.png" /><meta name="twitter:description" content="DNS Management Platform" /><meta name="twitter:card" content="summary_large_image" /><link rel="icon" type="image/png" sizes="16x16" href="/img/favicon16x16.png" /><link rel="icon" type="image/png" sizes="24x24" href="/img/favicon24x24.png" /><link rel="icon" type="image/png" sizes="32x32" href="/img/favicon32x32.png" /><link rel="icon" type="image/png" sizes="48x48" href="/img/favicon48x48.png" /><link rel="icon" type="image/png" sizes="57x57" href="/img/favicon57x57.png" /><link rel="icon" type="image/png" sizes="60x60" href="/img/favicon60x60.png" /><link rel="icon" type="image/png" sizes="64x64" href="/img/favicon64x64.png" /><link rel="icon" type="image/png" sizes="70x70" href="/img/favicon70x70.png" /><link rel="icon" type="image/png" sizes="72x72" href="/img/favicon72x72.png" /><link rel="icon" type="image/png" sizes="76x76" href="/img/favicon76x76.png" /><link rel="icon" type="image/png" sizes="96x96" href="/img/favicon96x96.png" /><link rel="icon" type="image/png" sizes="114x114" href="/img/favicon114x114.png" /><link rel="icon" type="image/png" sizes="120x120" href="/img/favicon120x120.png" /><link rel="icon" type="image/png" sizes="128x128" href="/img/favicon128x128.png" /><link rel="icon" type="image/png" sizes="144x144" href="/img/favicon144x144.png" /><link rel="icon" type="image/png" sizes="150x150" href="/img/favicon150x150.png" /><link rel="icon" type="image/png" sizes="152x152" href="/img/favicon152x152.png" /><link rel="icon" type="image/png" sizes="196x196" href="/img/favicon196x196.png" /><link rel="icon" type="image/png" sizes="310x310" href="/img/favicon310x310.png" /><link rel="icon" type="image/png" sizes="310x150" href="/img/favicon310x150.png" /><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" /><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" /><link rel="stylesheet" href="/highlight/styles/default.css" /><link rel="stylesheet" href="/css/style.css" /><link rel="stylesheet" href="/css/palette.css" /><link rel="stylesheet" href="/css/codemirror.css" /><link rel="stylesheet" href="/css/custom.css" /></head><body class="docs"><div id="wrapper"><div id="sidebar-wrapper"><ul id="sidebar" class="sidebar-nav"><li class="sidebar-brand"><a href="/" class="brand"><div class="brand-wrapper"><span>VinylDNS</span></div></a></li>           <li><a href="/api/index" class="">API documentation</a></li> <li><a href="/api/auth-mechanism.html" class=" active ">Authentication</a></li> <li><a href="/api/zone-model.html" class="">Zone</a> <ul class="sub_section"> <li><a href="/api/zone-model.html" class="">Zone Model</a></li> <li><a href="/api/create-zone.html" class="">Create Zone</a></li> <li><a href="/api/update-zone.html" class="">Update Zone</a></li> <li><a href="/api/delete-zone.html" class="">Delete Zone</a></li> <li><a href="/api/get-zone-by-id.html" class="">Get Zone by ID</a></li> <li><a href="/api/get-zone-by-name.html" class="">Get Zone by Name</a></li> <li><a href="/api/list-zones.html" class="">List / Search Zone</a></li> <li><a href="/api/sync-zone.html" class="">Sync Zone</a></li> <li><a href="/api/list-zone-changes.html" class="">List Zone Changes</a></li></ul></li> <li><a href="/api/recordset-model.html" class="">RecordSet</a> <ul class="sub_section"> <li><a href="/api/recordset-model.html" class="">RecordSet Model</a></li> <li><a href="/api/create-recordset.html" class="">Create RecordSet</a></li> <li><a href="/api/update-recordset.html" class="">Update RecordSet</a></li> <li><a href="/api/delete-recordset.html" class="">Delete RecordSet</a></li> <li><a href="/api/get-recordset.html" class="">Get RecordSet</a></li> <li><a href="/api/list-recordsets.html" class="">List / Search RecordSets</a></li> <li><a href="/api/get-recordset-change.html" class="">Get RecordSet Change</a></li> <li><a href="/api/list-recordset-changes.html" class="">List RecordSet Changes</a></li></ul></li> <li><a href="/api/batchchange-model.html" class="">Batch Change</a> <ul class="sub_section"> <li><a href="/api/batchchange-model.html" class="">Batch Change Model</a></li> <li><a href="/api/create-batchchange.html" class="">Create Batch Change</a></li> <li><a href="/api/get-batchchange.html" class="">Get Batch Change</a></li> <li><a href="/api/list-batchchanges.html" class="">List Batch Changes</a></li> <li><a href="/api/batchchange-errors.html" class="">Batch Change Errors</a></li></ul></li> <li><a href="/api/membership-model.html" class="">Membership</a> <ul class="sub_section"> <li><a href="/api/membership-model.html" class="">Membership Model</a></li> <li><a href="/api/create-group.html" class="">Create Group</a></li> <li><a href="/api/update-group.html" class="">Update Group</a></li> <li><a href="/api/delete-group.html" class="">Delete Group</a></li> <li><a href="/api/get-group.html" class="">Get Group</a></li> <li><a href="/api/list-groups.html" class="">List Groups</a></li> <li><a href="/api/list-group-admins.html" class="">List Group Admins</a></li> <li><a href="/api/list-group-members.html" class="">List Group Members</a></li> <li><a href="/api/list-group-activity.html" class="">List Group Activity</a></li></ul></li></ul></div><div id="page-content-wrapper"><div class="nav"><div class="container-fluid"><div class="row"><div class="col-lg-12"><div class="action-menu pull-left clearfix"><a href="#menu-toggle" id="menu-toggle"><i class="fa fa-bars" aria-hidden="true"></i></a></div><ul class="pull-right"><li id="gh-eyes-item" class="hidden-xs"><a href="https://github.com/VinylDNS/vinyldns"><i class="fa fa-eye"></i><span>WATCH<span id="eyes" class="label label-default">--</span></span></a></li><li id="gh-stars-item" class="hidden-xs"><a href="https://github.com/VinylDNS/vinyldns"><i class="fa fa-star-o"></i><span>STARS<span id="stars" class="label label-default">--</span></span></a></li></ul></div></div></div></div><div id="content" data-github-owner="VinylDNS" data-github-repo="vinyldns"><div class="content-wrapper"><section><h1 id="api-authentication">API Authentication</h1>

<p>The API Authentication for VinylDNS is modeled after the AWS Signature Version 4 Signing process. The AWS documentation for it can be found
<a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">here</a>. Similar to how the AWS Signature Version 4 signing
process adds authentication information to AWS requests, VinylDNS’s API Authenticator also adds authentication information to every API request.</p>

<h4 id="vinyldns-api-authentication-process">VinylDNS API Authentication Process</h4>

<ol>
  <li>Retrieve the Authorization HTTP Header (Auth Header) from the HTTP Request Context.</li>
  <li>Parse the retrieved Auth Header into an AWS <em><a href="https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html">String to Sign</a></em> structure which should be in the form:</li>
</ol>

<div class="highlighter-rouge"><pre class="highlight"><code>StringToSign =
    Algorithm + \n +
    RequestDateTime + \n +
    CredentialScope + \n +
    HashedCanonicalRequest
</code></pre>
</div>

<p><em>String to Sign</em> Example:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59
</code></pre>
</div>
<ol>
  <li>Extract the access key from the Auth Header and search for the account associated with the access key.</li>
  <li>Validate the signature of the request.</li>
  <li>Build the authentication information, which essentially contains all the authorized accounts for the signed in user.</li>
</ol>

<h4 id="authentication-failure-response">Authentication Failure Response</h4>

<p>If any these validations fail, a 401 (Unauthorized) or a 403 (Forbidden) error will be thrown; otherwise unanticipated exceptions will simply bubble out and result as 500s or 503s.</p>

<ol>
  <li>If the Auth Header is not found, then a 401 (Unauthorized) error is returned.</li>
  <li>If the Auth Header cannot be parsed, then a 403 (Forbidden) error is returned.</li>
  <li>If the access key cannot be found, then a 401 (Unauthorized) error is returned.</li>
  <li>If the request signature cannot be validated, then a 403 (Forbidden) error is returned.</li>
</ol>
</section><div class="edit-button"><a href="https://github.com/VinylDNS/vinyldns/edit/master/modules/docs/src/main/tut/api/auth-mechanism.md" class="btn-sm btn-info">Improve this page</a></div></div></div></div></div><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script><script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script><script src="/highlight/highlight.pack.js"></script><script>hljs.configure({languages:['scala','java','bash']});
hljs.initHighlighting();
              </script><script>((window.gitter = {}).chat = {}).options = {
room: 'vinyldns/Lobby'};</script><script src="https://sidecar.gitter.im/dist/sidecar.v1.js"></script><script src="/js/main.js"></script></body></html>