HMAC Authentication Plugin

[rrajkomar]

Q	A
Bug?	no
New Feature? yes

Would it be possible to add an HMAC authentication Plugin ?

Also another plugin for identitkey/token authentification (kinda like the bearer one) would be nice but even nicer if it did not override other authentication mechanism configured so that it'd be possible to couple several mechanism together (i.e. : hmac + identity for extra secure paths)

[dbu]

you can always implement your own authentications and use them with the AuthenticationPlugin.

if you have a good implementation of HMAC it could be cool to add it to php-http/message in https://github.com/php-http/message/tree/master/src/Authentication. this depends a bit on how complicated HMAC is though - if it depends on other libraries or is otherwise complicated enough to need several classes, its better as a separate component.

you should be able to add more than one instance of the authentication plugin to a client: http://docs.php-http.org/en/latest/plugins/authentication.html - does that not work?

[rrajkomar]

Hi, I know I can implement my own authentication class but I thought it'd be best not to have multiple versions of a authentication class that could be beneficial to all (much like wsse, hmac is a quite common authentication mechanism)

if you have a good implementation of HMAC it could be cool to add it to php-http/message in https://github.com/php-http/message/tree/master/src/Authentication. this depends a bit on how complicated HMAC is though - if it depends on other libraries or is otherwise complicated enough to need several classes, its better as a separate component.

I do have an implementation that I started working on but it is based on a custom class (in an external dependency) whose job is to sign and verify hmac requests (and it is not publicly available yet)

you should be able to add more than one instance of the authentication plugin to a client: http://docs.php-http.org/en/latest/plugins/authentication.html - does that not work?

Adding multiple mechanism is not the issue here, the issue is that if multiple mechanism add the same header (in this cas the Authorization header) I don't think you can use both authentication simultaneously

A simple example is to have an client app authentify itself using hmac and authentifying the end-user who made the request via a token : if both mechanism write to the same header at some point one is bound to overwrite the other and you can never use both at the same time to authentify both client app and end user.

[dbu]

same header

what do the standards say how multiple mechanisms should work? should we use withAddedHeader in our plugins so that authentications accumulate? would that not trip up some of the implementations?

hmac

i was afraid that hmac is not trivial. if this needs an encoder and possibly some crypto library or something, i think it should be a separate repository to not overload whats in php-http/message.

[dbu]

if someone did a hmac auth library for php-http, please add it in https://github.com/php-http/documentation/