Skip to content

Adds authentication and message integrity to HTTP messages by using a digital signature.

License

Notifications You must be signed in to change notification settings

DavidLievrouw/HttpMessageSigning

Repository files navigation

HttpMessageSigning

A C# implementation of the "Authorization" scheme of the IETF Internet-Draft Signing HTTP Messages.

Nuget Nuget Build status Tests status License: MIT

It contains:

  • HTTP request signing services.
  • HTTP request signature verification services.
  • Authentication middleware for ASP.NET Core applications.
  • Authentication middleware for OWIN applications.
  • Extensions for storing known clients in memory.
  • Extensions for storing known clients in MongoDb.

See wiki for further details.

Motivation

When communicating over the Internet using the HTTP protocol, it can be desirable for a server or client to authenticate the sender of a particular message. It can also be desirable to ensure that the message was not tampered with during transit. The Signing HTTP Messages Internet-Draft describes a way for servers and clients to simultaneously add authentication and message integrity to HTTP messages by using a digital signature.

This repository is a C# implementation of that specification.

NuGet

Common

  • Nuget
    This package contains the shared components for signing and verification packages. It serves as a base-package only.

Signing

  • Nuget
    This package contains the client-side services to enable Signing HTTP messages. In most cases, this is the only package that client applications will reference.

Verification

  • Nuget
    This package contains the server-side services to enable verifying HTTP message signatures. It also contains the default in-memory client and nonce stores.

  • Nuget
    This package contains the ASP.NET Core authentication scheme to verify signatures on signed HTTP messages.

  • Nuget
    This package contains the Owin authentication middleware to verify signatures on signed HTTP messages.

Storage

  • Nuget
    For persisted clients and nonces, you can use these alternative MongoDB-backed client and nonce store implementations.

  • Nuget
    For persisted clients and nonces, you can use these alternative Sql Server-backed client and nonce store implementations.

  • Nuget
    For persisted clients and nonces, you can use these alternative filesystem-backed client and nonce store implementations.

See wiki for further details.

Basics

When signing a request message, an Authorization header is set in a http request. Using this header, the server can verify that it is sent by the known client, and that the content has not been tampered with.

The signing will result in a request header that will look like:

Authorization: Signature keyId="e0e8dcd638334c409e1b88daf821d135",algorithm="hs2019",created=1584806516,expires=1584806576,headers="(request-target) dalion-app-id date digest",nonce="38brRy8BLUajMbUqWumXPg",signature="DUKQVjiirGMMaMOy9qIwKMro46R3BlLsvUQkw1/8sKQ="

See the Super Duper Happy Paths for basic usage.

There is OWIN and ASP.NET Core middleware available too, for easy integration. By default, verification settings are stored in-memory. There are also extension packages to store data in Sql Server, MongoDB, ... instead.

Documentation

See Wiki.

Support

If you've got value from any of the content which I have created, but pull requests are not your thing, then I would also very much appreciate your support by buying me a coffee.

Buy Me A Coffee


"Anybody can make something that works. Software craftsmanship is the ability to keep it understandable, maintainable and extensible."

About

Adds authentication and message integrity to HTTP messages by using a digital signature.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages