User Signature Authentication

For user authentication purposes, you are issued an access key ID (AK) and a secret access key (SK) upon registration in OBS. For a request sent to OBS, the request header must contain the authentication information generated based on the SK, request time, and request type.

In OBS, signatures are authenticated in the common or temporary manner or form-based object upload manner.

Figure 1Figure 2 and Figure 3Figure 4 show the signature calculation process.

Figure 1 OBS signature calculation process (1)
Figure 2 OBS signature calculation process (1)

1. Before the client calls an OBS API, it constructs an HTTP message based on the API format defined by OBS. After the HTTP message is constructed, the client extracts a specific character string from the HTTP message based on the signature calculation rule to construct the StringToSign needed by the signature.

2. The client uses its own secret access key and the constructed StringToSign to calculate the signature character string.

3. The client adds a signature header field to the HTTP message header, and includes the user's access key and the calculated signature character string into the signature header field. The client sends the HPPT message that carries the signature header field to OBS, and wait for OBS to return the authentication result.

Figure 3 OBS signature calculation process (2)
Figure 4 OBS signature calculation process (2)

4. After the OBS server receives the request from the client, it retrieves the user's secret access key based on the access key included in the signature header field.

5. The OBS server extracts a specific character string from the HTTP message based on the signature calculation rule to construct the StringToSign needed by the signature. OBS uses the secret access key and the StringToSign to calculate the signature character string.

6. OBS compares between the signature character string calculated by the OBS server and the signature character string carried in the request header. If the two signatures are the same, the client is using the correct secret access key and the client identity is confirmed authorized. Then OBS performs subsequent processing as the API defines. If the two signatures are different from each other, the client is using an incorrect secret access key and the client identify is confirmed unauthorized. Then OBS rejects the request.

Registration