Rohith-Raju
commented
1 year ago Hey, @guicassolato I'd like to work on this...any prereqs?
Open guicassolato opened 3 years ago
Rohith-Raju
commented
1 year ago Hey, @guicassolato I'd like to work on this...any prereqs?
guicassolato
commented
1 year ago @Rohith-Raju, I think this issue lacks definition. Because of that, I'll remove participation/good first issue label for now.
Azure's HMAC authentication for REST APIs could be a good reference here. I like it because it's flexible (the contract includes telling the server what the source of the hash is) and because it doesn't use the request body in the string-to-sign (the contrary often makes HMAC authn impractical due to encoding issues, amongst other problems). Moreover, Azure's API HMAC authentication is simple and easy to implement in both ends (client and server).
However, Azure's approach is not a standard. To make it more generic, at least those Microsoft-specific required headers need to be dropped of course – although Date is probably better keeping.
AWS's HMAC authn uses a sightly different, more complex approach, where users first need to generate a temporary signing key out of the long-lived secret access key, the date and other attributes (AWS service name and region), and only then HMAC the message, including the payload.
We need to gather some inputs from the field to choose which model we want to support.
Rohith-Raju
commented
1 year ago Ok @guicassolato, I'll look into this, thanks
There's already a placeholder for it at https://github.com/3scale-labs/authorino/blob/2b6a6f8016a5837650506cd125751f8d95ea4197/pkg/config/identity/hmac.go.