The user handle is passed on downstream in a HTTP header. This allows the backend to identify a user. Example:
Multipass-Handle: bob@example.com
In the future other HTTP headers may be added. To mitigate attackers setting fake HTTP headers, headers set by Multipass should be signed. The signature can be verified by downstream handler using the public key.
To successfully verify a list of headers an algorithm must be predefined to normalise and sort the header keys and values.
Preliminary proposal
Headers are sorted, trimmed of whitespace, and converted to lowercase. Multiple headers with the same name are joined using commas to separate values.
The user handle is passed on downstream in a HTTP header. This allows the backend to identify a user. Example:
In the future other HTTP headers may be added. To mitigate attackers setting fake HTTP headers, headers set by Multipass should be signed. The signature can be verified by downstream handler using the public key.
To successfully verify a list of headers an algorithm must be predefined to normalise and sort the header keys and values.
Preliminary proposal
Headers are sorted, trimmed of whitespace, and converted to lowercase. Multiple headers with the same name are joined using commas to separate values.
Example:
After normalisation: