ahknight
commented
6 years ago It's my understanding that the spec requires the use of the Authorization header. Was there an update that changed it?
Closed snarfed closed 5 years ago
ahknight
commented
6 years ago It's my understanding that the spec requires the use of the Authorization header. Was there an update that changed it?
snarfed
commented
6 years ago the httpsig spec? i've read and re-read the relevant sections a few times now, and it's hard to follow the language, but i think the key section is 1.1 (emphasis mine):
This specification provides two mechanisms that can be used by a server to authenticate a client. The first is the 'Signature' HTTP Authentication Scheme, which may be used for interactive sessions.
The second is the Signature HTTP Header, which is typically used by automated software agents.
'Signature' HTTP Authentication Scheme refers to section 3, the Authorization HTTP header. Signature HTTP Header refers to section 4, the Signature HTTP header. So if I'm parsing that right, both are supported, neither is always required. my use case here is server to server, which automated software agents seems appropriate for.
specifically, my use case was interacting with Mastodon over ActivityPub, which iirc accepted the Signature header but not Authorization.
ahknight
commented
5 years ago Merged #15.
hi! first off, thanks for maintaining and working on this library. we appreciate it!
i'm implementing a protocol (ActivityPub) and using HTTP Signatures via the
SignatureHTTP header, but httpsig currently only supports theAuthorizationheader. any chance you could addSignaturesupport?as a proof of concept, i've done this in snarfed/httpsig@6f0ebfe00af39fb75d50c7a29f46da49e8190d70. example usage in snarfed/bridgy-fed@b1230881588b9d990db9fa13f13376b5624c69e6. it's definitely not the way you'd do it for real, but it does work.
thanks in advance!