-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HMAC authN mode #9
Comments
Hey, @guicassolato I'd like to work on this...any prereqs? |
@Rohith-Raju, I think this issue lacks definition. Because of that, I'll remove Azure's HMAC authentication for REST APIs could be a good reference here. I like it because it's flexible (the contract includes telling the server what the source of the hash is) and because it doesn't use the request body in the string-to-sign (the contrary often makes HMAC authn impractical due to encoding issues, amongst other problems). Moreover, Azure's API HMAC authentication is simple and easy to implement in both ends (client and server). However, Azure's approach is not a standard. To make it more generic, at least those Microsoft-specific required headers need to be dropped of course – although AWS's HMAC authn uses a sightly different, more complex approach, where users first need to generate a temporary signing key out of the long-lived secret access key, the date and other attributes (AWS service name and region), and only then HMAC the message, including the payload. We need to gather some inputs from the field to choose which model we want to support. |
Ok @guicassolato, I'll look into this, thanks |
There's already a placeholder for it at https://github.com/3scale-labs/authorino/blob/2b6a6f8016a5837650506cd125751f8d95ea4197/pkg/config/identity/hmac.go.
The text was updated successfully, but these errors were encountered: