-
Notifications
You must be signed in to change notification settings - Fork 14
Home
- PHP - https://github.com/acquia/http-hmac-php
- Go - https://github.com/acquia/http-hmac-go
- Java - https://github.com/acquia/http-hmac-java
- Ruby - https://github.com/acquia/http-hmac-ruby/tree/2.0
- JavaScript (planned)
Basic authentication is the simplest way to add authentication to a REST API, however it is generally considered the least secure authentication method since the same plan-text password is sent on every API request. HMAC based authentication schemes do not transmit the shared secret over the wire and generate unique signatures for each request. The hashing strategy provided by this spec mitigates replay attacks and prevents data from being tampered with while in transit to the endpoint.
OAuth 1.0a is a widely adopted protocol that also uses an HMAC-based algorithm to sign and authenticate API requests. The main security advantage that OAuth 1.0a has over bare HMAC authentication systems is the "request token" workflow that enables browsers to initiate authentication requests on behalf of a server without ever being passed the shared secret.
The downside of this technique is the overall complexity it adds by requiring the application making requests to implement the OAuth 1.0a protocol as well. If passing the shared secret in a browser is not a concern for the app, then bare HMAC authentication systems can provide equivalent security with less complexity.
This is best explained by Eran Hammer's OAuth 2.0 and the Road to Hell blog post explaining why he resigned as lead author and editor of the spec. OAuth 2.0 is also an authentication framework and is therefore on a different plane than the problem-space this spec addresses.
JSON Web Tokens is a compact URL-safe means of representing claims to be transferred between two parties, meaning it can be used in protocols other than HTTP. JWT also has a robust community with a variety of clients in various languages. However, the JWT spec does not make a secure implementation a default and is inherently less secure than public-private key algorithms like the one implemented in this spec. Refer to the blog post by Casaba Security for more details.