30 Request authentication

 

This chapter covers...

  • Requirements of a request authentication system
  • Overview of digital signatures
  • Credential generation, registration, and signing
  • Fingerprinting HTTP requests
  • Communicating the details of a signature
  • Verifying signatures and authentication HTTP requests

In this pattern, we'll explore how and why to use public-private key exchange and digital signatures to authenticate all incoming API requests. This ensures that all inbound requests have guaranteed integrity, origin authenticity, and cannot be later repudiated by the sender. While alternatives (e.g., shared secrets and HMAC) are acceptable in the majority of cases, these fail when it comes to introducing third-parties where non-repudiation is required.

30.1  Motivation

So far, we've simply assumed that all API requests are guaranteed to be "authentic", leaving security to be dealt with later on. As you might guess, now is the time where we need to explore a fundamental question: given an inbound API request, how can we determine that it came from an actual authorized user?

30.1.1    Origin

 
 

30.1.2    Integrity

 

30.1.3    Non-repudiation

 

30.2  Overview

 
 
 

30.3  Implementation

 
 

30.3.1    Credential generation

 
 

30.3.2    Registration and credential exchange

 

30.3.3    Generating and verifying raw signatures

 
 
 

30.3.4    Request fingerprinting

 
 
 

30.3.5    Including the signature

 
 
 

30.3.6    Authenticating requests

 

30.3.7    Final API definition

 
 
 
 

30.4  Trade-offs

 
 
 
 

30.5  Exercises

 
 

30.6  Summary

 
 
 

30.7  References

 
 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest