Why is the subsequent authenitcation with HMAC neccessary?


  • Hello,

    why is it neccessary to "authenticate" to HealthVault after the client-authentication in the CreateAuthenticatedSessionToken-Request has successfully been done? The subsequent authentication I think of is the one done by adding the HMAC to the XML-Message.

    Thank you for your answers.


    • Edited by Simon_ Monday, March 19, 2012 5:32 PM
    Monday, March 19, 2012 5:31 PM

All replies

  • Hi Simon,

    The real state in a "authenticated session" is the shared secret.  If the caller can successfully hmac a request, it shows proof of possession of the share secret.  That secret can only be obtained thorugh CreateAuthenticationSessionToken.  The Hmac in each request thus determines the authenticity of each message. 



    Monday, March 19, 2012 9:14 PM
  • OK, that's clear. I asked this question because I thought it to be easier to only do authentication once and afterwards just use the SSL connection. But probably there is no easy mechanism to carry this successfull authentication to the SSL connection.

    In addition the SSL connection could be closed but the received Token and SharedSecret remains valid and could be used in a later SSL connection.


    Tuesday, March 20, 2012 5:43 PM