What Is It?
This is an announcement to provide information about action required from the customers using Cybersource REST APIs. All Cybersource API calls using HTTP Signature Authentication will adhere to industry standards and will allow BOTH WITH AND WITHOUT PARENTHESIS for the http authentication for REST APIs and no longer support the use of parenthesis in the API header after Nov 1, 2023 Jan 22, 2024 Mar 22, 2024 April 22 2024
Audience
Any merchant that uses HTTP Signature Authentication to connect to Cybersource REST APIs.
Details
This update is for http signature authentication scheme supported for Cybersource REST APIs, where the API request headers have an attribute called Signature that contains request-target parameter that is provided in parenthesis like : (request-target), that should be rather sent without the parenthesis like : request-target. There will be a migration period until Nov 1, 2023 Jan 22, 2024 Mar 22, 2024 April 22 2024 where Cybersource API calls will accept both formats of headers - with and without parenthesis.
It is a simple integration change, however it stands very important from industry security standards. Hence, any API requests received after Nov 1, 2023 Jan 22, 2024 Mar 22, 2024 April 22 2024 using parenthesis for request-target in the Signature header for HTTP Signature Authentication will fail.
Old & supported: Here is an example of a request header signature with parenthesis:
- Signature:"keyid=”123abcki-key1-key2-key3-keyid1234567”, algorithm=”HmacSHA256”, headers=”host (request-target) digest v-c-merchant-id”, signature=”123456iFZ0ZhOHzhejvuAa123456Xv1xykNAEq71234=””
New & supported: Here is an example of an updated request header signature with parenthesis removed:
- Signature:"keyid="123abcki-key1-key2-key3-keyid1234567", algorithm="HmacSHA256", headers="host request-target digest v-c-merchant-id", signature="hrptKYTtn/VfwAdUqkrQ0HT7jqAbagAbFC6nRGXrNzE=””
In addition, if the optional header “request-target” is passed and when it is used to calculate the signature and will allow BOTH WITH AND WITHOUT PARENTHESIS for the http authentication for REST APIs , it must be changed from “(request-target)” to “request-target” to avoid service interruptions.
If you have any questions on this update, please contact customer support : Cybersource Support Center
What Do I Have To Do?
The fix has been implemented internally and no action is required from the consumers of Cybersource REST APIs
If you are a merchant of Cybersource and you use http signature authentication, then update your http signature authentication implementation to remove parenthesis for the request-target in the Signature header before Nov 1, 2023 Jan 22, 2024 Mar 22, 2024 April 22 2024. If you use SDK for your integration, upgrade to the latest SDK that will be released with the fix for this finding in the last week of September – you can watch SDK release updates here: https://developer.cybersource.com/hello-world/release-notes.html. The associated documentation, API Reference and SDK updates shall be published with these fixes in last week of September.