heimdall
heimdall copied to clipboard
dadrus
Error handler complementing HTTP Message Signatures authenticator
Preflight checklist
- [x] I agree to follow this project's Code of Conduct.
- [x] I have read and am following this repository's Contribution Guidelines."
- [ ] I have discussed this feature request with the community.
Describe the background of your feature request
FR #2677 proposes adding an authenticator to support HTTP Message Signatures. When implemented, incorrect signatures — for example, missing required components, unsupported algorithms, or unknown keys — would lead to authentication failures that currently can only be handled in a generic way.
Describe your idea
To complement this, a dedicated error handler, named e.g. http_message_signature_negotiation, could be introduced to provide clients with clear feedback on how to successfully authenticate with HTTP Message Signatures.
The error handler would:
- Inspect the cause of the failure (e.g., missing or invalid components, unsupported algorithms, unknown keys, expired/nonces).
- Return a structured response to the client indicating:
- Required components for a valid signature (e.g.,
@method,@path,@authority,content-digest). - Accepted signature algorithms.
- Recognized keys or key identifiers.
- Optional hints for timestamps, nonces, or other constraints.
- Required components for a valid signature (e.g.,
Are there any workarounds or alternatives?
No
Version
0.17.0
Additional Context
No response
