authorino icon indicating copy to clipboard operation
authorino copied to clipboard
verified publisher icon Kuadrant

HMAC authN mode

Open guicassolato opened this issue 5 years ago • 3 comments

There's already a placeholder for it at https://github.com/3scale-labs/authorino/blob/2b6a6f8016a5837650506cd125751f8d95ea4197/pkg/config/identity/hmac.go.

guicassolato avatar Dec 22 '20 13:12 guicassolato

Hey, @guicassolato I'd like to work on this...any prereqs?

Rohith-Raju avatar Mar 01 '23 05:03 Rohith-Raju

@Rohith-Raju, I think this issue lacks definition. Because of that, I'll remove participation/good first issue label for now.

Azure's HMAC authentication for REST APIs could be a good reference here. I like it because it's flexible (the contract includes telling the server what the source of the hash is) and because it doesn't use the request body in the string-to-sign (the contrary often makes HMAC authn impractical due to encoding issues, amongst other problems). Moreover, Azure's API HMAC authentication is simple and easy to implement in both ends (client and server).

However, Azure's approach is not a standard. To make it more generic, at least those Microsoft-specific required headers need to be dropped of course – although Date is probably better keeping.

AWS's HMAC authn uses a sightly different, more complex approach, where users first need to generate a temporary signing key out of the long-lived secret access key, the date and other attributes (AWS service name and region), and only then HMAC the message, including the payload.

We need to gather some inputs from the field to choose which model we want to support.

guicassolato avatar Mar 01 '23 10:03 guicassolato

Ok @guicassolato, I'll look into this, thanks

Rohith-Raju avatar Mar 01 '23 12:03 Rohith-Raju