Authentication

Digest Authentication

ScholarOne Web Services are secured using authenticated web protocols. To successfully access and retrieve data, each operation requires valid authentication credentials to be included in the request. The credentials for your site should already be configured. If you need to verify your username and password, or if you wish to update your credentials, please contact your Implementation Consultant.

ScholarOne Web Services implement Digest Access Authentication over HTTP(S) to securely exchange credentials. The server generates a unique nonce for each request/response cycle, which is used by the client to create a hashed response including the profile’s API Key. This nonce includes a timestamp and an expiration value to prevent replay attacks. If an expired nonce is received, the server will issue a new nonce, allowing the communication to continue as long as the authentication requirements are met.

All authentication and operations with ScholarOne Web Services are conducted using SSL over HTTPS on TCP port 443 to ensure secure communication.

Server request with no authentication information

GET /api/s1a/v3/abstracts/full/abstractsbyid?site_name=exports&ids='1829210'
Host: api.abstractcentral.com

HTTP/1.1 401 Unauthorized
Date: Wed, 19 Oct 2024 14:14:31 GMT
WWW-Authenticate: Digest realm="ScholarOneApiService",
nonce="IWBnEoNx6/80qvS+Qjgkt+/3IccVl3bT", stale="false"
Content-Type: text/plain;charset=UTF-8
Content-Length: 33

Server request with successful authentication

GET /api/s1a/v3/abstracts/full/abstractsbyid?site_name=exports&ids='1829210'
HTTP/1.0
Host: api.abstractcentral.com
"Authorization: Digest username="sample_user_s1a", realm="ScholarOneApiService",
nonce="IWBnEoNx6/80qvS+Qjgkt+/3IccVl3bT",
uri="/api/s1a/v1/abstracts/full/abstractsbyid?site_name=exports&ids=%271829210%27",
response="1f7f4b12eedaf5fef6f31b244d6babc2"

HTTP/1.1 200 OK
Date: Wed, 19 Oct 2024 14:14:32 GMT
Content-Type: application/xml;charset=UTF-8
Content-Length: 3718

(...followed by a blank line and XML or JSON text of the restricted content)

Server response when authentication fails

If the required authentication information is incorrect, the server will send back an HTTP error code in the header. An example of this is illustrated below, where the server response denies access due to the wrong site_name being sent.

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Date: Wed, 19 Oct 2024 14:14:32 GMT
x-frame-options: DENY
Content-Type: application/xml;charset=UTF-8
Content-Length: 1180

IP Authentication

IP authentication occurs automatically when your IP address is registered within your customer account. Unlike username/password authentication, IP-based authentication does not require authorization information in the request header.

If your client fails to successfully complete ScholarOne's digest authentication, a 401 response code will be returned, and the request will not proceed to the IP validation stage. Both username/password authentication and IP validation are required for successful communication with the ScholarOne Web Services API.

Base64 Encoding References

• Base64 Content encoding scheme
• RFC 2617 HTTP Authentication: Basic and Digest Access Authentication
• Digest access authentication
• Encode and decode using base64 encoding