HMAC authN mode #9
Comments
|
Hey, @guicassolato I'd like to work on this...any prereqs? |
|
@Rohith-Raju, I think this issue lacks definition. Because of that, I'll remove Azure's HMAC authentication for REST APIs could be a good reference here. I like it because it's flexible (the contract includes telling the server what the source of the hash is) and because it doesn't use the request body in the string-to-sign (the contrary often makes HMAC authn impractical due to encoding issues, amongst other problems). Moreover, Azure's API HMAC authentication is simple and easy to implement in both ends (client and server). However, Azure's approach is not a standard. To make it more generic, at least those Microsoft-specific required headers need to be dropped of course – although AWS's HMAC authn uses a sightly different, more complex approach, where users first need to generate a temporary signing key out of the long-lived secret access key, the date and other attributes (AWS service name and region), and only then HMAC the message, including the payload. We need to gather some inputs from the field to choose which model we want to support. |
|
Ok @guicassolato, I'll look into this, thanks |
There's already a placeholder for it at https://github.com/3scale-labs/authorino/blob/2b6a6f8016a5837650506cd125751f8d95ea4197/pkg/config/identity/hmac.go.
The text was updated successfully, but these errors were encountered: