Support HMAC auth

[jm3]

App Details:

Postman for Mac
Version 4.11.0
OS X 16.4.0 / x64

Issue Report:

1. Did you encounter this recently, or has this bug always been there: first time for me
2. Expected behaviour: AWS accepts signed, authenticated request
3. Console logs (http://blog.getpostman.com/2014/01/27/enabling-chrome-developer-tools-inside-postman/ for the Chrome App, View->Toggle Dev Tools for the Mac app):
4. Screenshots (if applicable)

Using the native mac app, the HMAC signature is being generated in the header, but it appears that Amazon's Product Ads API requires a generated Signature param that Postman is not adding to the request when sending. Error:

<?xml version="1.0"?>
<ItemLookupErrorResponse xmlns="http://ecs.amazonaws.com/doc/2005-10-05/">
    <Error>
        <Code>MissingParameter</Code>
        <Message>The request must contain the parameter Signature.</Message>
    </Error>
    <RequestID>66bfc40b-5f30-41c4-8b39-237127bc52a8</RequestID>
</ItemLookupErrorResponse>

As shown, the API returns, "The request must contain the parameter Signature"

Is there any setting I can enable in Postman to ensure that the Signature gets calculated and added to the request? Or is there another way I can use Postman to query the Amazon Product Ads API? Could the Service Name field have anything to do with this? (As shown in the screenshot, I've left it blank by default.)

[SamvelRaja]

@jm3 Thanks for taking this to our notice, we will get back to you on the status soon.

[harryi3t]

@jm3 After having a quick look at the docs, I think Amazon Product Advertising API does not even use aws4 auth. It usesHMAC-SHA256

Though aws4 internally uses the same HMAC-SHA256, the headers or params requirements are quite different than that compared to simple HMAC-SHA256

Also, check this official aws4 doc for more information Notice how aws4 requires all X-Amz-XXX values (either in header or in param), but in the ads api only signature and timestamp are required.

Please do correct me if I am wrong :) Otherwise, I can mark this issue as a feature request (for supporting HMAC-SHA256 auth)

[jm3]

Sounds right 👍

[harryi3t]

Cool, marking this as a feature request

[Misiu]

@harryi3t any news about first class support for HMAC auth? I'm aware there are pre-request scripts, but HMAC-SHA256 and HMAC-SHA512 are quite standard and commonly used, so ideally there should be another option in TYPE dropdown in Authorization section.

[harryi3t]

@Misiu I am afraid this is not on our immediate roadmap. Please upvote the issue :)

[Misiu]

@harryi3t thanks for update :) I've already upvoted it. I'll stick with pre-request script for now, but if there would be a way to create PR with that feature I would like to help with it.

[harryi3t]

@Misiu

if there would be a way to create PR with that feature I would like to help with it.

We use postman-runtime internally as the execution engine. Here you can find the list of all supported auths https://github.com/postmanlabs/postman-runtime/tree/develop/lib/authorizer

[Misiu]

I think it will be hard to support that type of auth. Mainly because there isn't any standard way of creating hash. Each implementation can have different order of parts (nonce, timestamp, userId etc). The easiest way is pre-request script (I've already created one), but I have trouble making it universal - https://github.com/postmanlabs/postman-app-support/issues/4377, mainly because I can't access raw request body with files included. @harryi3t is this even possible with current API? Can I access full request data? I need to read full request body as bytes to be able to calculate hash out of it.

[Misiu]

@vvs11 does this mean that finally HMAC support will be added? For now, I must use app that I created to be able to access the request body, I'd like to replace all of that with Postman