30 Request authentication
This chapter covers...
- Requirements of a request authentication system
- Overview of digital signatures
- Credential generation, registration, and signing
- Fingerprinting HTTP requests
- Communicating the details of a signature
- Verifying signatures and authentication HTTP requests
In this pattern, we'll explore how and why to use public-private key exchange and digital signatures to authenticate all incoming API requests. This ensures that all inbound requests have guaranteed integrity, origin authenticity, and cannot be later repudiated by the sender. While alternatives (e.g., shared secrets and HMAC) are acceptable in the majority of cases, these fail when it comes to introducing third-parties where non-repudiation is required.
30.1 Motivation
So far, we've simply assumed that all API requests are guaranteed to be "authentic", leaving security to be dealt with later on. As you might guess, now is the time where we need to explore a fundamental question: given an inbound API request, how can we determine that it came from an actual authorized user?