Add a signature to URL

Last Updated: Mar 20, 2017

In addition to using an authorization header, you can also add signature information to a URL so that you can forward the URL to a third party for authorized access.

Implementation

URL signature example:

  1. http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?AccessKeyId=AccessKeyId&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D

The URL signature must include at least the following three parameters: Signature, Expires, and AccessKeyId.

  • The Expires parameter indicates the timeout time of the URL. The value of this parameter is UNIX time (which is the number of seconds that have elapsed since 00:00:00 UTC, January 1, 1970. For details, see Wikipedia). If the time when the OSS receives the URL request is later than the value of the Expires parameter included in the signature, an error code indicating that the request has timed out will be returned. For example, if the current time is 1141889060, to create a URL that will expire in 60 seconds, you can set the value of Expires to 1141889120.
  • AccessKeyId refers to the AccessKeyId in the key.
  • Signature indicates the signature information. For all requests and header parameters that OSS supports, the algorithm for adding a signature to a URL is basically the same as that for adding a signature to a header.
    1. Signature = urlencode(base64(hmac-sha1(AccessKeySecret,
    2. VERB + "\n"
    3. + CONTENT-MD5 + "\n"
    4. + CONTENT-TYPE + "\n"
    5. + EXPIRES + "\n"
    6. + CanonicalizedOSSHeaders
    7. + CanonicalizedResource)))

Specifically, the differences mainly lie in the following:

  1. When a signature is added to a URL, the Expires parameter replaces the Date parameter.
  2. Signatures cannot be included in the URL and the Header at the same time.
  3. If there are more than one incoming Signature, Expires, or AccessKeyId value, the first of each incoming value is used.
  4. Whether the request time is later than the Expires time is verified first before the signature is verified.
  5. When you put the signature string into the URL, remember to perform the UrlEncode for the URL.
  • When you add a signature to a temporary user URL, the ‘security-token’ should be carried. The format is as follows:
    1. http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?AccessKeyId=AccessKeyId&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D&security-token=SecurityToken

Sample code

Python sample code used to add a signature to a URL:

  1. import base64
  2. import hmac
  3. import sha
  4. import urllib
  5. h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
  6. "GET\n\n\n1141889120\n/oss-example/oss-api.pdf",
  7. sha)
  8. urllib.quote (base64.encodestring(h.digest()).strip())

Note:

  • The above is the Python sample code
  • OSS SDK provides the method for adding a signature into the URL. For usage, see the ‘Authorize Access’ section in the SDK file.
  • For the implementation of adding a signature to the OSS SDK URL, see the table below.
SDK URL signature method Implementation file
Java SDK OSSClient.generatePresignedUrl OSSClient.java
Python SDK Bucket.sign_url api.py
.Net SDK OssClient.GeneratePresignedUri OssClient.cs
PHP SDK OssClient.signUrl OssClient.php
JavaScript SDK signatureUrl object.js
C SDK oss_gen_signed_url oss_object.c

Detail analysis

  1. If you adopt the approach of adding a signature to a URL, the authorized data will be exposed on the internet before the authorization period expires. Please assess the usage risks in advance.
  2. The PUT and GET requests both support adding a signature in a URL.
  3. When a signature is added to a URL, the sequence of Signature, Expires, and AccessKeyId can be swapped. If one or more Signature, Expires, or AccessKeyId parameter are missing, the error 403 Forbidden will be returned. Error code: AccessDenied.
  4. If the current access time is later than the Expires time set in the request, the error 403 Forbidden will be returned. Error code: AccessDenied.
  5. If the format of the Expires time is incorrect, the error 403 Forbidden will be returned. Error code: AccessDenied.
  6. If the URL includes one or more Signature, Expires, or AccessKeyId parameter and the header also includes signature information, the error 400 Bad Request will be returned. Error code: InvalidArgument.
  7. When the signature string is generated, the Date parameter is replaced by the Expires parameter, but the headers such as content-type and content-md5 defined in the foregoing section are still included. (Though the Date request header still exists in the request, it does not need to be added to the signature string.)
Thank you! We've received your feedback.