Provide plugin HTTP headers signature

[lucmir]

Headers included by okta-auth-plugin should be signed in order to ensure they came from Kong.

[pduldig-at-tw]

In order for standardization across platforms, we should use a standard crypto library that has lots of language bindings. For this -- I think we could do something like:

https://github.com/kext/lua-nacl (NACL -- networking and cryptography library)

1. Generate a secret and public key with nacl.sign_keypair(). Save outputs somewhere safe.
2. In the plugin, define the private key as an object
3. Calculate a hash of all the OKTA headers, ie: SHA256('OKTA-USER', 'username', 'OKTA-GROUP', 'group') (this is ultimately a custom encoding, consider how you standardize this encoding, like Key, Value without the :, etc)
4. perform sig = nacl.sign(m, sk), where m is the hash and sk is the secret key defined earlier
5. Append KONG-SIGNATURE sig to headers

As part of the contract that applications must conform, have a check that verifies nacl.sign_open(sm, pk), where sm is the signature and pk is the Kong Public Key.

If the signature fails, the request should be dropped by the application.