gary-rowe
commented
12 years ago There are some minor issues with the Warden HMAC algorithm documentation. I have elected to ignore query-based authentication since it exposes authentication details in a manner that could be shared as a permalink. Also the query-based authentication breaks caching since every request is unique if a short TTL is included.
I have some issues with the inclusion of all headers on the server side since it is possible that intermediary servers could add headers to the request that are unknown to the client and render the signature void. However, the server should be aware of those headers and strip them out during the creation of the canonical representation.
In order to authenticate and authorise requests against a standard As a platform client I want to apply these guidelines and support the Warden HMAC Ruby gem
Estimated time (days): 0.5
Acceptance Criteria
Scenario 1: Title Given a GET request with an AuthHMAC header And some valid corresponding data When I attempt to authenticate Then I should authenticate