Home » Developing for Drupal » Contributed modules for developers » Services: An API for remote applications » Services Tutorials and Examples

API key authentication

· · ·
Last modified: May 26, 2009 - 01:59

Note: this information has changed a bit in the newest version of Services. It will be updated shortly.

Services offers the ability to control access via API keys. This requires
setting up a key on the remote server, and putting together a specially
crafted call on the requesting server. This document gives an example of how
to set this up in Drupal using the user.get service.

On the remote server:

1) Install Services, enable the Services, XMLRPC Server, and User Service
module.

2) When using API key authentication, services run as the anonymous user, so you will need to modify the anonymous user's permissions as necessary. For this example, you will need to give the anonymous user 'access services' (under services_module) and 'get own user data' (under user_services module).

3) Now you need to create an API key. Go to Administer->Site Building->Services->Keys->Create Key. Give the key a title and a domain. The domain can really be anything, but typically it will match the external domain which has permission to use this key. Submit the form. You will now see your key listed. Take note of this key as you will need it in the code you are about to write.

4) Go to Administer->Site Building->Services->Settings and check 'Use Keys'. Submit the form. All services calls are now required to include API key information.

On the requesting server:

Service calls using API keys require four parameters:

Timestamp - Current time in unix timestamp format.
Domain - The value you entered for domain above.
Nonce - A random value.
Hash - An sha256 has of the timestamp, domain, nonce and remote method name delimited by semicolons and using the remote api key as the shared key.

Here is some example Drupal code which shows how this works.

$domain = 'my domain';
$timestamp = (string) time();
$nonce = user_password();
$hash = hash_hmac('sha256', $timestamp .';'.$domain .';'. $nonce .';'.'user.get', 'remote_api_key');
$xmlrpc_result = xmlrpc('http://remoteserver.com/services/xmlrpc', 'user.get', $hash, $domain, $timestamp, $nonce, 0);
if ($xmlrpc_result === FALSE) {
  print '<pre>' . print_r(xmlrpc_error(), TRUE) . '<pre>';
}
else {
  print '<pre>' . print_r($xmlrpc_result, TRUE) . '<pre>';
}

Some notes:

1) The timestamp must be cast to a string or you will get an error that you are passing an argument of an incorrect type.

2) Drupal's user_password() function is a convenient way to generate a random string to use as the Nonce.

If this code runs successfully, then you should see the anonymous user's information printed. Otherwise you will see an error.

» Login or register to post comments

API key authentication using REST Server module

nonsie - March 12, 2009 - 22:30

Moved to http://drupal.org/node/400212

-------------------------------------------------
the original net baby

Login or register to post comments

need help

isagarjadhav - May 1, 2009 - 15:06

I need help with api key authentication... please... how should i do it?

S

Login or register to post comments

user.get no longer exists

liquidcms - October 23, 2009 - 06:08

in 5.x-1.x-dev there is no longer a user.get method

Peter Lindstrom
LiquidCMS - Content Management Solution Experts

Login or register to post comments

terminology

matslats - October 22, 2009 - 14:13

Can the wording be changed here please to talk not about the remote and requesting servers, but the server and client, or something clearer

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.