Loading ...
Sorry, an error occurred while loading the content.

Authentication scheme for HMAC authentication in Restful services.

Expand Messages
  • Unmesh Joshi
    Hi, We have implemented a Restful service with HMAC authentication. Till now, we were using custom authorization header. But it looks like the common practice
    Message 1 of 2 , Jun 18, 2013
    • 0 Attachment
      Hi,

      We have implemented a Restful service with HMAC authentication. Till now, we were using custom authorization header. But it looks like the common practice is to use standard HTTP "Authorization" header with custom authorization scheme. 
      Unfortunately there doesnt seem to be a standard scheme so far for HMAC based authentication. Everyone (Amazon, Azure, etc..) use their own schemes (e.g. "AWS" used by Amazon or "SharedKey""SharedLiteKey" used by Azure http://msdn.microsoft.com/en-us/library/dd179428.aspx). All these schemes are nearly same, but use different scheme identifier.

      http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-22 seems to work in progress, but there is no place where all the commonly used authentication schemes are listed.

      I found this https://github.com/hueniverse/hawk. But not sure if this is widely used. 

      I do not want to create a new scheme identifier, something more generic will probably make sense. 
      Thoughts?

      Thanks,
      Unmesh
    • Craig McClanahan
      In the context of OAuth 2.0, there are efforts underway to standardize the use of MAC authentication[1], putting it in the Authorization header with a scheme
      Message 2 of 2 , Jun 18, 2013
      • 0 Attachment
        In the context of OAuth 2.0, there are efforts underway to standardize the use of MAC authentication[1], putting it in the Authorization header with a scheme name of "mac".

        Craig McClanahan




        On Tue, Jun 18, 2013 at 4:53 AM, Unmesh Joshi <unmeshjoshi@...> wrote:
         

        Hi,

        We have implemented a Restful service with HMAC authentication. Till now, we were using custom authorization header. But it looks like the common practice is to use standard HTTP "Authorization" header with custom authorization scheme. 
        Unfortunately there doesnt seem to be a standard scheme so far for HMAC based authentication. Everyone (Amazon, Azure, etc..) use their own schemes (e.g. "AWS" used by Amazon or "SharedKey""SharedLiteKey" used by Azure http://msdn.microsoft.com/en-us/library/dd179428.aspx). All these schemes are nearly same, but use different scheme identifier.

        http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-22 seems to work in progress, but there is no place where all the commonly used authentication schemes are listed.

        I found this https://github.com/hueniverse/hawk. But not sure if this is widely used. 

        I do not want to create a new scheme identifier, something more generic will probably make sense. 
        Thoughts?

        Thanks,
        Unmesh


      Your message has been successfully submitted and would be delivered to recipients shortly.