Request verification
Requests from Acronis to the callback handler additionally include the Authorization
header that allows vendors to verify the request origin and accept the request.
The Authorization
header contains a JWT (JSON Web Token)
signed by Acronis. The vendor must take the following steps to ensure that JWT is valid and originated from Acronis:
Fetch JWKs (JSON Web Keys)
Send a GET request to the https://cloud.acronis.com/api/idp/v1/keys
endpoint to get the list of public JWKs.
The following example demonstrates a response from this endpoint:
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "f9294926-b89b-460b-9c50-8f2e74e6d3db",
"alg": "RS256",
"n": "xDm80_tNLSuJxBETvhfyTm5miZqn08fJwPRo0UghBRfYotTAhPma3Uj2hvCO2jOB1777D3-OMmhlJ7oxXOFZcYRElw6FOYTZzfix_jtd6ButcUkfWBQuUUE51w-WGxVhbNagF5no2W4b9zQCLs3Omg1VdA-q1KJe6lIsKdE0ZXEQyfDh2rDFd1mbVj2DkyRrjWoLlpWIZbH--NMO2od047om14oTsaF2Xv6rlm4GMwTs6EKAGtXAKMxX1nu0U3lpgF_8n9fJf98N3nETjIUS5v85-Qxy1kzranzWqZHxt-fxin3GXukifuYF4m5QTb1By5sSiQVL8keZGb1rt-_XpQ",
"e": "AQAB"
},
"..."
]
}
Note that you may cache the JWKs to reduce the number of requests and update them according to our keys rotation policy. The JWKs are updated every 24 hours.
Verify the received JWT
When the callback handler receives a request:
Fetch the value of the
Authorization
header and extract the JWT. The format isBearer <jwt>
, where<jwt>
is the JWT.Decode the JWT’s header using the library of your choice and fetch the value of the
kid
field. It may look as follows:{ "alg": "RS256", "iri": "ac294f6ec37c7857ba95371bc43d95cd", "kid": "c2618afb-9881-472e-a4e4-683f5f057b62" }
Find the corresponding key among stored JWKs by matching the value of the
kid
field.Decode and verify the JWT’s signature. If the signature is invalid - deny the request.
Decode the JWT’s payload. It may look as follows:
{ "aud": "cloud.acronis.com", "exp": 1710855607, "jti": "0e8c4f42-b3f6-4585-8137-880c95f49eff", "iat": 1710852007, "iss": "https://cloud.acronis.com", "sub": "0d780ce3-adcc-5bce-9904-3be60cbd1b9d", "scope": [ { "role": "cti.a.p.acgw.endpoint.v1.0~vendor.app.endpoint.v1.0" } ], "ver": 2, "sub_type": "platform-acgw" }
Verify that the JWT issuer is
https://cloud.acronis.com
in theiss
field. If the issuer does not match - deny the request.Verify that the JWT is not expired based on the
exp
field. If the token is expired - deny the request.