WSSE Authentication in TypePad Atom Publishing API

Sunday, May 16, 2010

WSSE Authentication in TypePad Atom Publishing API

Yes, Typepad.com has their very own Atom Publishing API. You can find it here. Be warned though that if you use it, always bear in mind that it's in "alpha" state and will change with or without notice.

To explain briefly, the API doesn't use a regular give-me-your-password-and-username protocol for authentication. Instead, it's using ATOM chosen's authentication, WSSE Username Token (PDF), since it's based on that. Now, let's proceed and discuss below how it works and how to implement it.

As shown in the text here, WSSE authentication is sent as part of the header request and is represented by "X-WSSE" (similar to headers like Content-Type, Content-Encoding etc). Examine the sample header request below.

X-WSSE: UsernameToken  Username="youremail@yourdomain.com",
 PasswordDigest="VfJavTaTy3BhKkeY/WVu9L6cdVA=",
 Created="2004-01-20T01:09:39Z",
 Nonce="7c19aeed85b93d35ba42e357f10ca19bf314d622"

Username is the email address that you used for Typepad registration. The API doc will say Typepad username but in fact there aren't any except your email, so don't be confused.

Created is the ISO-8601 timestamp marking when Nonce was created. Well at least it's supposed to be that even if it's poorly implemented. As a matter of fact, you can really put in anything as its value even if its not a valid date.

Nonce is a unique key produced by your client / application talking to Typepad's Atom API for each request. Usually you can produce this value using session IDs, pseudo-random numbers, sequences etc. The API has nothing to do with its creation. It's your application that does it.

PasswordDigest is base64 encoded value of the sha1 raw digest of the concatenated values of your Nonce, Created and Typepad Password. Make sure that your sha1 digest is the 20-digit binary digest and not the 40-digit hexadecimal equivalent or you might encounter problems. Some programming languages implement both (i.e. PHP). See example PHP snippet on how it's calculated below.

session_start();
 $nonce = session_id();
 $created = date("c");
 $pass_digest = base64_encode(sha1($nonce . $created . $pass, TRUE));

Now that you have all the values required, build up the X-WSSE header string and add it to the request header for your API transactions. If you've understood and followed how it's done above, you should be able to authenticate properly and use the service / API easily without encountering any problems.

Related Links Widget for Blogspot

No comments:

Post a Comment

Author Interests

Amazon.com Widgets

Parallel and Distributed Computing
Service-Oriented Architecture
Application Optimization
Network and Application Security
Process Automation
Data Warehousing
Data Visualization
Artificial Intelligence
Open Source Software

This blog is here because I realized that there is no better way to ensure knowledge assimilation for myself and education to the netizens about the things I discover, invent and learn from anything about computing, especially information technology in the cloud, system administration and anything interesting more than writing. Blogger is free so I don't have to worry about publication.

I would be writing mostly on open-source solutions to real-world IT and computing problems. I would also like to write on topics about simplifying, analyzing and aggregating sparsely distributed information, natural language and human behavior whenever possible. I will start by discussing concepts then theories proceeding on practical application or a proof with the aim to provide a model solution.

I'd also like to note that I do have substantial knowledge and experience with Microsoft products but as a matter of preference, I won't be discussing any of those things as long as I can avoid.

I might jump to other topics depending on my mood.

Sunday, May 16, 2010