The Authorization header that is sent with WebHook posts sent by custom Automations contains a ‘keyid’ field which, I am assuming, relates to the keys used for signing and validating the field.
Does anyone know how this is derived and where I can find it? (Other than by monitoring incoming packets, that is.)
My application will have several Automations calling the same Web service so will need to match up the appropriate public key to the incoming requests.
Edit: I suspect the the numeric portion of the keyid may be the key’s fingerprint/MD5 hash but have not been able to generate anything that matches so far so I may be wrong on that.
Yeah. it looks like md5, but not sure if it is standard rsa fingerprint or is smartthings users some special data to generate the keyId. it is somewhat surprising this isn’t documented.
I haven’t got anything useful back from the support request but, in case anyone else is facing the same issue, I think I’ve worked out how we’re supposed to match a public key to a signature.
I still haven’t a clue how the keyId is generated but I think what we’re supposed to do is to extract the installedAppId from the body of the message and use that to identify a matching public key.
The application ID is obtainable from the smartapp definition along with the public key and is present as installedAppId in all lifecycle messages except PING which doesn’t have a signature anyway.
This doesn’t solve the problem of getting the keyId or allow the signature to be independent of the body but it is, at least a usable workaround.
I’d still prefer to use keyID but I think I may be able to get by without it, for now at least.
I had assumed InstalledApplicationId would be the same as my original ApplicationId, but it isn’t so I’m back to sniffing the keyId out of an incoming message and tying it up with a key manually.
Until support respond with an answer to my question, at least.
I don’t know if @Jim can provide a bit more information on here since my support request seems to have fallen into a black hole (no response for over two weeks now)
There must be an official way to tie up the keyId and the public key. Hopefully it’s not just a case of tying things together manually.