Geek Answers Handbook

Signing an HTTP request without a session

I am thinking of a web service for the rest, which provides for each request sent to him that:

  • The request was generated by the user who approves it;
  • The request was not changed by someone else (uri / method / content / date);
  • For GET requests, it should be possible to create a URI with enough information to verify the signature and set an expiration date. Thus, a user can delegate READ temporary permissions to a collaborator for a limited period of time on a resource with a generated URI.

Clients authenticate with the identifier and content signature based on their password.

There should not be a session at all, and therefore the state of the server! Server and client use a secret key (password)

After thinking about it and talking with some really good people, it seems that there is no recreation service that will do it as easy as it should be for my use case. (HTTP Digest and OAuth can do this with server state and very chats)

So, I introduced it, and I ask for your comments on how it should be developed (I will release it with OpenSource and hope it can help others).

To store credentials, the service uses its own "Content Signature" header. An authenticated request should contain this header:

Content-signature: <METHOD>-<USERID>-<SIGNATURE>

<METHOD> is the sign method used, in our case SRAS.
<USERID> stands for the user ID mentioned earlier.
<SIGNATURE> = SHA2(SHA2(<PASSWORD>):SHA2(<REQUEST_HASH>));
<REQUEST_HASH> = <HTTP_METHOD>\n
                 <HTTP_URI>\n
                 <REQUEST_DATE>\n
                 <BODY_CONTENT>;

The request is invalid 10 minutes after its creation.

For example, a typical HTTP request:

POST /ressource HTTP/1.1
Host: www.elphia.fr
Date: Sun, 06 Nov 1994 08:49:37 GMT
Content-signature: SRAS-62ABCD651FD52614BC42FD-760FA9826BC654BC42FD

{ test: "yes" }

The server will reply:

401 Unauthorized

OR

200 OK

Variables:

<USERID> = 62ABCD651FD52614BC42FD
<REQUEST_HASH> = POST\n
                 /ressource\n
                 Sun, 06 Nov 1994 08:49:37 GMT\n
                 { test: "yes" }\n

URI Parameters

Some parameters can be added to the URI (they overload the header information):

  • _sras.content-signature = <METHOD> - <USERID> - < > : URI, HTTP. ;
  • _sras.date = , 06 1994 08:49:37 GMT ( *): .
  • _sras.expires = Sun, 06 Nov 1994 08:49:37 GMT ( *): ,

* : http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18

.

+5
2

, . :

1- "X-Namespace-" , : "X-SRAS-Content-Signature".

2- nonce, 1 .

3. nonce, 10 , , , POST ( - REST), GET PUT DELETE .

PUT 10- . GET DELETE .

, , nonce, , .

4- , 10 . , AJAX, . UTC.

10 , , , nonce. , , nonce. , nonce nonce reset.

, , nonce . , .

5- - . , , TCP Ack , TCP- . nonce TCP , nonce. , : POST 2 .

6- , , , .

7- , DNS. . ​​ , , .

+5

, OAuth, "2-legged OAuth", . . http://tools.ietf.org/html/rfc5849#page-14. oauth_token , , HMAC-SHA1. . OAuth, - . , OAuth .

, , , , ( ). nonce/lifetime, HTTPS, , HTTPS + Basic Auth , , .

+1

More articles:


All Articles