30 Request authentication

 

This chapter covers

  • Requirements of a request authentication system
  • Overview of digital signatures
  • Credential generation, registration, and signing
  • Fingerprinting HTTP requests
  • Communicating the details of a signature
  • Verifying signatures and authenticating HTTP requests

In this pattern, we’ll explore how and why to use public-private key exchange and digital signatures (https://en.wikipedia.org/wiki/Digital_signature) to authenticate all incoming API requests. This ensures that all inbound requests have guaranteed integrity and origin authenticity and that they cannot be later repudiated by the sender. While alternatives (e.g., shared secrets and HMAC; https://en.wikipedia .org/wiki/HMAC) are acceptable in the majority of cases, these fail when it comes to introducing third parties where nonrepudiation is required.

30.1 Motivation

So far, we’ve simply assumed that all API requests are guaranteed to be authentic, leaving security to be dealt with later on. As you might guess, now is the time where we need to explore a fundamental question: given an inbound API request, how can we determine that it came from an actual authorized user?

30.1.1 Origin

30.1.2 Integrity

30.1.3 Nonrepudiation

30.2 Overview

30.3 Implementation

30.3.1 Credential generation

30.3.2 Registration and credential exchange

30.3.3 Generating and verifying raw signatures

30.3.4 Request fingerprinting

30.3.5 Including the signature

30.3.6 Authenticating requests

30.3.7 Final API definition

30.4 Trade-offs