ApsaraVideo Live allows you to add a specific signature header to each HTTP or HTTPS callback request. This way, the server that receives callback messages can authenticate the signature to prevent illegal or invalid requests. This topic describes the parameters, rules, and considerations of HTTP callback authentication.
Authentication parameters
The following table describes the authentication parameters that can be added to HTTP callback request headers.
| Parameter | Description |
|---|---|
| ALI-LIVE-TIMESTAMP | The time when the callback request is initiated. The value is a UNIX timestamp. Unit: seconds. |
| ALI-LIVE-SIGNATURE | The signature string, which is an MD5 value that is 32 characters in length. For more information, see the Signature calculation section of this topic. |
Signature calculation
The value of the ALI-LIVE-SIGNATURE parameter is generated based on the values of the parameters described in the following table.
| Parameter | Example | Description |
|---|---|---|
| Callback domain | learn.aliyundoc.com | The hostname in the callback URL. If the callback URL is https://learn.aliyundoc.com/your/callback, the callback domain is learn.aliyundoc.com. |
| ALI-LIVE-TIMESTAMP | 1519375990 | The time when the callback request is initiated. The value is a UNIX timestamp. Unit: seconds. |
| NotifyAuthKey | yourkey | The signature key that you specified. Note You can call the UpdateLiveSnapshotNotifyConfig operation to modify the key. |
Concatenate the parameters
Concatenate the preceding three parameters by separating them with vertical bars (|), and then calculate the MD5 value of the concatenated string. The following sample code provides an example:
MD5Content = Callback domain|ALI-LIVE-TIMESTAMP|NotifyAuthKey
ALI-LIVE-SIGNATURE = md5sum(MD5Content)Calculate the signature string
The following example shows how to calculate the value of the ALI-LIVE-SIGNATURE parameter:
ALI-LIVE-SIGNATURE = md5sum(learn.aliyundoc.com|1519375990|yourkey)Authentication rules
- The server that receives callback messages concatenates the callback domain, ALI-LIVE-TIMESTAMP, and NotifyAuthKey into a string and calculates the MD5 value of the string. Then, the server compares the MD5 value with the obtained value of the ALL-LIVE-SIGNATURE parameter. If the two values are different, the server rejects the request.
- The server that receives callback messages obtains the current time and calculates the difference between the current time and the time specified by the ALI-LIVE-TIMESTAMP parameter in the callback request. If the time difference exceeds the limit set by the server, such as 5 minutes, the server rejects the request.
Note The calculated time difference may be inaccurate due to incorrect time settings. Therefore, time difference verification is optional. You can determine whether to enable time difference verification for the server that receives callback messages.
Considerations
- Callback authentication is optional. We recommend that you enable callback authentication. If you specify the NotifyAuthKey parameter, callback requests carry all authentication-related content for the authentication performed by the server that receives callback messages. You can determine whether to enable callback authentication for the server.
- If you do not specify the NotifyAuthKey parameter, your business is not affected.
- If you modify the signature key, the updated key takes effect only after you restart stream ingest. The previous key is still valid for the ongoing stream ingest.