edit-icon download-icon

Signature mechanism

Last Updated: Mar 23, 2017

The Access Key ID and Access Key Secret are officially issued to users by Alibaba Cloud. Users can apply for and manage them on the official Alibaba Cloud website.

The Access Key ID indicates the identity of the user.

The Access Key Secret is the secret key used to encrypt the signature string for users and verify the signature string on the server. It must keep strictly confidential and should only be known to Alibaba Cloud and the users.

MNS would authenticate every request. Therefore, all requests sent to MNS must contain signature information. MNS performs symmetric encryption to authenticate the request sender with the Access Key ID and Access Key Secret. If the computed result is the same as that provided, the request would be considered as valid. Otherwise, MNS would reject the request and return HTTP Error Code 403.

The user can add an authorization head as signature information in the HTTP request to indicate the message is authorized. And MNS requires that the signature should be contained in HTTP Header as follows:Authorization: MNS space Access Key Id: Signature

The signature computation method is as follows:

  1. Signature = base64(hmac-sha1(VERB + "\n"
  2. + CONTENT-MD5 + "\n"
  3. + CONTENT-TYPE + "\n"
  4. + DATE + "\n"
  5. + CanonicalizedMNSHeaders
  6. + CanonicalizedResource))
  • VERB indicates the HTTP method (For example: PUT).
  • Content-Md5 indicates the MD5 value of the request content (Refer to 3 in “Other Issues”).
  • CONTENT-TYPE indicates the content type of the request (Refer to 3 in “Other Issues”).
  • DATE indicates the operation time, which cannot be left blank. (Only support the GMT format.) If the time gap between the request time and MNS server time exceeds 15 minutes, MNS would regard the request as invalid, and return the HTTP Error Code 400. The related error information and error codes refer to the part 5 of this document. (For example: ‘Thu, 17 Mar 2012 18:49:58 GMT’).
  • CanonicalizedMNSHeaders indicates a combination of fields starting with “x-mns-“ in the HTTP request. (Refer to “Note” in detail).
  • CanonicalizedResource indicates the URI (uniform resource identifier) of the resource requested by HTTP (For example: ‘/queues/$queueName?metaOverride=true’).

Note:

CanonicalizedMNSHeaders (heads starting with ‘x-mns-‘) must comply with the following rules before the authentication:

  • The head name should be lower-case letters.
  • The heads should be sorted in ascending order.
  • Make sure no space before and after the colon which separates head name and value.
  • Each head should be followed by one ‘\n’. If there is no head starting with ‘x-mns-‘, CanonicalizedMNSHeaders is set to null in signature.

Other Issues:

  • The string used for signature is in UTF-8 format.
  • The signing method adopted is the HMAC-SHA1 method defined in [RFC 2104] (http://www.ietf.org/rfc/rfc2104.txt). The Key indicates the AccessKeySecret.
  • content-type and content-md5 are not necessary in the request. If the request requires signature, the null value can be denoted by ‘\n’.

An request example is as followed:

  1. PUT /queues/$queueName?metaOverride=true HTTP/1.1
  2. Host: $AccountId.mns.cn-hangzhou.aliyuncs.com
  3. Date: Wed, 08 Mar 2012 12:00:00 GMT
  4. Authorization: MNS 15B4D3461F177624206A:xQE0diMbLRepdf3YB+FIEXAMPLE=
  5. <?xml version=”1.0 encoding=”UTF-8 ?>
  6. <Queue xmlns=”http://mns.aliyuncs.com/doc/v1/”>
  7. <VisibilityTimeout >60</VisibilityTimeout>
  8. <MaximumMessageSize>1024</MaximumMessageSize>
  9. <MessageRetentionPeriod>120</MessageRetentionPeriod>
  10. <DelaySeconds>30</DelaySeconds>
  11. </Queue>

If the input AccessKey Id does not exist or the access key is inactive, HTTP Error code 403 (Forbidden) would be returned.

Response example:

  1. Content-Type: text/xml
  2. Content-Length: 314
  3. Date: Wed, 18Mar 2012 08:04:06 GMT
  4. x-mns-request-id: 512B2A634403E52B1956133E
  5. <?xml version="1.0" encoding=”utf-8”?>
  6. <Error xmlns=”http://mns.aliyuncs.com/doc/v1/”>
  7. <Code>AccessIDAuthError</Code>
  8. <Message>
  9. AccessID authentication fail, please check your AccessID and retry.
  10. </Message>
  11. <RequestId>512B2A634403E52B1956133E</RequestId>
  12. <HostId>mns.cn-hangzhou.aliyuncs.com</HostId>
  13. </Error>

If Date is not contained in the head or the format is incorrect, HTTP Error code 403 (Forbidden) would be returned.

Respone example:

  1. Content-Type: text/xml
  2. Content-Length: 274
  3. Date: Wed, 18Mar 2012 08:04:06 GMT
  4. x-mns-request-id: 512B2A634403E52B1956133E
  5. <?xml version="1.0" encoding=”UTF-8 ?>
  6. <Error xmlns=”http://mns.aliyuncs.com/doc/v1/”>
  7. <Code>InvalidArgument</Code>
  8. <Message>Date header is invalid or missing.</Message>
  9. <RequestId>7E1A5CF258F535884403E533</RequestId>
  10. <HostId>mns.cn-hangzhou.aliyuncs.com</HostId>
  11. </Error>

The request time must be in 15 minutes from the current time of the MNS server. Otherwise, HTTP Error Code 408 (Timeout) would be returned.

Return example:

  1. Content-Type: text/xml
  2. Content-Length: 283
  3. Date: Wed, 11 May 2011 09:01:51 GMT
  4. x-mns-request-id: 512B2A634403E52B1956133E
  5. <?xml version="1.0" encoding=”UTF-8 ?>
  6. <Error xmlns=”http://mns.aliyuncs.com/doc/v1/”>
  7. <Code> TimeExpired</Code>
  8. <Message>
  9. The http request you sent is expired.
  10. </Message>
  11. <RequestId>512B2A634403E52B1956133E</RequestId>
  12. <HostId>mns.cn-hangzhou.aliyuncs.com</HostId>
  13. </Error>
Thank you! We've received your feedback.