AMX Authorization Header
The AMX Authorization Header is used to secure access to the Application Management API. It uses a per call token that is generated using the API ID and key that was provided. It hashes the contents and uses a NONCE for additional security.
- Hash the content of the request using an MD5 algorithm.
- Determine the base 64 encoding. This is the Request Content Base 64 string.
- Generate a Request Time Stamp.
- Generate a nonce.
- Generate the Signature Data by concatenating the following six elements together:
- Your API ID
- Request method
- Request URL
- Request time stamp
- Nonce
- Request content base 64 string
- Get a base 64 encoding of the Signature Data.
- This is the Signature.
- Convert the API key (base 64 encoded) into a byte array (base 64 decode).
- This is the Secret Key Byte Array.
- Calculate the SHA 256 HMAC of the Signature.
- The HMAC is initialized with the Secret Key Byte Array.
- Base 64 encode the SHA 256 HMAC of the Signature.
- This is the Signature HMAC.
- Construct the AMX header by combining the following into a separated string:
- Your API ID
- Signature HMAC
- Nonce
- Request time stamp
The resulting header will be similar to the following:
amx 2f6e9850e69c4d98a096f90717e05fea:E9XhgYR8PBjEmt765YS/5GcD3OOnX0HzHvEHbtSRMlI=:7ed378c1967441bbafa469e1d88f7d18:1475264552
The following is an example in C#:
class Program
{
static void Main(string[] args)
{
string requestString =
"https://open.allscripts.com/authmgmt/api/client/add";
string requestContent = "{ 'client_name' : 'My Cool App 2', 'application_type' : 'native', 'client_type' : 'confidential', 'redirect_uris': ['http://localhost/callback','urn:ietf:wg:oauth:2.0:oob', 'https://www.getpostman.com/oauth2/callback']}";
string requestHttpMethod = "POST";
string _appID = "2f6e9850e69c4d98a096f90717e05fea";
string _apiKey = "pADfT6idcLKglD3ZccE4ixsAwZR5ePSvI6y5J3sn61M=";
string requestUri = System.Web.HttpUtility.UrlEncode(requestString.ToLower());
string requestContentBase64String = string.Empty;
//Calculate UNIX time
DateTime epochStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
TimeSpan timeSpan = DateTime.UtcNow - epochStart;
string requestTimeStamp = Convert.ToUInt64(timeSpan.TotalSeconds).ToString();
//create random nonce for each request
string nonce = Guid.NewGuid().ToString("N");
// Hash the contents
if (!string.IsNullOrEmpty(requestContent))
{
byte[] content = Encoding.UTF8.GetBytes(requestContent);
MD5 md5 = MD5.Create();
//Hashing the request body, any change in request body will result in different hash, we'll incure message integrity
byte[] requestContentHash = md5.ComputeHash(content);
requestContentBase64String = Convert.ToBase64String(requestContentHash);
}
//Creating the raw signature string
string signatureRawData = String.Format("{0}{1}{2}{3}{4}{5}", _appID, requestHttpMethod, requestUri, requestTimeStamp, nonce, requestContentBase64String);
var secretKeyByteArray = Convert.FromBase64String(_apiKey);
byte[] signature = Encoding.UTF8.GetBytes(signatureRawData);
using (HMACSHA256 hmac = new HMACSHA256(secretKeyByteArray))
{
byte[] signatureBytes = hmac.ComputeHash(signature);
string requestSignatureBase64String = Convert.ToBase64String(signatureBytes);
//Setting the values in the Authorization header using custom scheme (amx)
var authorizationHeader = "amx " + string.Format("{0}:{1}:{2}:{3}", _appID, requestSignatureBase64String, nonce, requestTimeStamp);
Console.WriteLine("AuthorizationHeader " + authorizationHeader);
Console.WriteLine();
Console.WriteLine("Press any key to continue");
Console.ReadLine();
}
}
}
The following is an example in JavaScript:
The following is an example in Java: