I'm following a pdf with instructions to authenticate an API and it says this:
clientNonce: a8673858-023c-4f8d-805d-fc8d65613a9c serverNonce: 2d2d0a7b-c439-413c-a823-0b2acbecd496 key: mypasswordThe clientHash is: SHA1(data = LOWER(clientNonce) + LOWER(serverNonce) + user’s plaintext password, key = user’s plaintext password). The clientHash should be sent in UPPERCASE hexadecimal format.
For example: SHA1“a8673858-023c-4f8d-805d-fc8d65613a9c2d2d0a7b-c439-413c-a823-0b2acbecd496mypassword”, “mypassword”) based on above scenario and assuming the user’s password is “mypassword” results in hash D9BB04C0A7F350835E9AE4EED425AEA82EACB31A HINT: Use the following online SHA1 conversion tool: http://hash.online-convert.com/sha1-generator
Using the online conversion tool with the scenario given doesn't give the same resulted hash. The only way I was able to get the same resulted hash was by using this HMAC SHA1 hash generator https://codebeautify.org/hmac-generator
Nowhere in the pdf does it say that it should use HMAC though, and I'm unable to authenticate when I test the API. I've tried creating the clientHash using both sites and neither have worked.