SmartThings Community

Authorization Header keyid?


(Mark Dunsford) #1

The Authorization header that is sent with WebHook posts sent by custom Automations contains a ‘keyid’ field which, I am assuming, relates to the keys used for signing and validating the field.

Does anyone know how this is derived and where I can find it? (Other than by monitoring incoming packets, that is.)

My application will have several Automations calling the same Web service so will need to match up the appropriate public key to the incoming requests.

Edit: I suspect the the numeric portion of the keyid may be the key’s fingerprint/MD5 hash but have not been able to generate anything that matches so far so I may be wrong on that.


(Tony Fleisher) #2

I think the docs here should answer your question:
https://smartthings.developer.samsung.com/develop/guides/smartapps/webhook-apps.html


(Mark Dunsford) #3

Thanks for the suggestion, it has helped me progress a little further.

Although I’d used those docs when creating my web hook I hadn’t looked at the linked libraries very closely.

From looking at the python and java examples the numeric portion of the keyid is just an MD5 hash of the base64 decoded body of the key.

I’ve duplicated both the Java and Python routines and can get hashes in the right format.

Unfortunately that doesn’t give a matching fingerprint for any key I’ve tried so I think I’m still missing a vital element.

(Suspiciously, the Python library describes the fingerprint routine as “currently busted” which is a little worrying)


(Tony Fleisher) #4

Yeah. it looks like md5, but not sure if it is standard rsa fingerprint or is smartthings users some special data to generate the keyId. it is somewhat surprising this isn’t documented.

Perhaps @Jim can provide more details.


(Jim Anderson) #5

Hi @TonyFleisher,

I’ve pinged the Developer Relations team about this, but I’d recommend opening a Developer Support issue if you haven’t already.

As mentioned earlier, there are some docs on this topic but it sounds like there’s some gaps that aren’t capture there.


(Mark Dunsford) #6

Thanks for that.

I raised a support log on Saturday so hopefully your ping will help to push it along.