Configuring Escher¶
You have to have some service specific constants when you would like to use Escher. If you are implementing a client, it will be provided by the service owner. If you are a service owner, you have to define them for your users.
Note
In practice, you should only define the credential scope, and keep the defaults of the other options.
Credential Scope¶
The most important service constant is the credential scope, this is the
only required parameter when you are using the library. It is a
slash separated, hierarchical ID, containing the service’s scope. Amazon
uses it to identify the data center, the service and the protocol. An
Amazon example is us-east-1/iam/aws4_request
. You should define a scope
like eu-vienna/yourproductname/escher_request
.
Clock Skew¶
This option defines the maximum allowed window of the difference between the clock of the client and the server, as it’s quite typical that computer times are not synced well. Without this setting, even small differences could cause the invalidity of the signature.
The default is ±900 secs (15 mins), it generally works well. You might want to allow smaller difference only.
Algo Prefix, Vendor Key, Authentication Header Name and Date Header Name¶
These options are implemented to keep the compability with the Amazon AWS4 protocol, it is not recommended to change them.
Hash Algo¶
Defines the hash algorithm used to calculate the signature. There are two supported values: SHA256 and SHA512.
Current Time¶
This parameter is only for testing purposes, as tests need to have an injected time for repeatability reasons.
Possible error messages¶
- Message:
- The date header is missing
- Solution:
- The “dateHeaderName” configuration should be the same on server and client.
- Message:
- The authorization header is missing
- Solution:
- The “authHeaderName” configuration should be the same on server and client.
- Message:
- The host header is missing
- Solution:
- The client’s Escher implementation is incomplete or the host header lost between the server and the client.
- Message:
- Could not parse auth header
- Solution:
- The client’s Escher implementation is incomplete. Specification for authorization header.
- Message:
- The host header is not signed
- Solution:
- The client’s Escher implementation is incomplete.
- Message:
- The date header is not signed
- Solution:
- The client’s Escher implementation is incomplete.
- Message:
- The credential scope is invalid
- Solution:
- The “credentialScope” configuration should be the same on server and client.
- Message:
- Only SHA256 and SHA512 hash algorithms are allowed
- Solution:
- The client’s Escher implementation is incomplete. Escher only supports these hash algorithms.
- Message:
- The authorization header’s shortDate does not match with the request date
- Solution:
- The client’s Escher implementation is incomplete. The authorization header’s short date is not equal with the request date header.
- Message:
- The request date is not within the accepted time range
- Solution:
- The server’s or client’s time is out of sync. Use an NTP (Network Time Protocol) client or a similar solution to set the accurate time.
- Message:
- Invalid Escher key
- Solution:
- The client is using an Escher key missing on the server.
- Message:
- The signatures do not match
- Solution:
- The most likely problem is either the Escher secret is wrong or the signed and sent requests are different.