edit-icon download-icon

Authorization

Last Updated: Mar 29, 2018

For every request, Function Compute (FC) checks the Authorization field in the request headers for the request authorization. Only requests from clients that use the same signature algorithm as the FC server can pass verification. For a request that neither contains a signature header nor has a valid signature, Function Compute returns a HTTP 403 error.

Signature algorithm

  1. signature = base64(hmac-sha256(HTTP_METHOD + "\n"
  2. + CONTENT-MD5 + "\n"
  3. + CONTENT-TYPE + "\n"
  4. + DATE + "\n"
  5. + CanonicalizedFCHeaders
  6. + CanonicalizedResource))
  7. Authorization = "FC " + accessKeyID + ":" + signature
  • HTTP_METHOD indicates the HTTP Method in uppercase (such as PUT, GET, POST, and DELETE).
  • CONTENT-MD5 indicates the MD5 value of the request content. If the request header does not contain Content-MD5, leave this field blank.
  • CONTENT-TYPE indicates the request content type.
  • DATE indicates the time of request occurred. It cannot be blank and only currently supports the GMT format.
    • Note: The difference between the DATE that is provided by clients and the system time of the FC server processing the request must be less than 15 minutes. Otherwise, FC rejects the request.
  • CanonicalizedFCHeaders indicates a string that consists of all the HTTP headers prefixed with x-fc-. The following section describes how the string is generated.
  • CanonicalizedResource indicates the request URL path, for example, /2016-08-15/services/my-service/functions?limit=100.
  • hmac-sha256 uses your AccessKeySecret as its key.

CanonicalizedFCHeaders

Follow these steps to generate CanonicalizedFCHeaders:

  1. Locate all the fields starting with x-fc- in request headers (case insensitive).
    • For fields that match the specified prefix, convert the field names into lowercase letters, and then sort these field names by ascending order.
  2. Generate a string ${key}:${value}\n for each field,
    • ${key} is the key of the HTTP header (in lowercase).
    • ${value} is the value of the HTTP header.
    • For example: X-Fc-Invocation-Type: Sync is converted to x-fc-invocation-type:Sync\n.
  3. Combine all previously generated strings into an new string.

The following pseudocode details CanonicalizedFCHeaders generation:

  1. // javascript
  2. // prefix = 'x-fc-'
  3. function buildCanonicalHeaders(headers, prefix) {
  4. var list = [];
  5. var keys = Object.keys(headers);
  6. for (let i = 0; i < keys.length; i++) {
  7. var key = keys[i];
  8. if (key.startsWith(prefix)) {
  9. list.push(key);
  10. }
  11. }
  12. list.sort();
  13. var canonical = '';
  14. for (let i = 0; i < list.length; i++) {
  15. const key = list[i];
  16. canonical += `${key}:${headers[key]}\n`;
  17. }
  18. return canonical;
  19. }

Sample request

Request:

  1. GET /2016-08-15/services?limit=100&nextToken=&prefix=&startKey= HTTP/1.1
  2. Host: 1237050315505682.fc.cn-shanghai.aliyuncs.com
  3. User-Agent: go-sdk-0.1
  4. Accept: application/json
  5. Authorization: FC LTAIUyt0Yeq1rgqo:GBmoz6OwC7bobTlD1jboBZ9PkaZ1e4cKsQ+5/dlLTns=
  6. Date: Mon, 08 May 2017 03:08:31 GMT
  7. X-User-Agent: go-resty v0.11 - https://github.com/go-resty/resty
  8. Accept-Encoding: gzip

Response:

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json; charset=utf-8
  3. X-Fc-Request-Id: ab7c7602-0922-f04f-b4ee-923cd7df7fb0
  4. Date: Mon, 08 May 2017 03:08:31 GMT
  5. Transfer-Encoding: chunked

Sample code

You can also see released SDKs for FC signature generation:

Thank you! We've received your feedback.