Authenticate requests using HTTP signature

A while ago we presented basic authentication as a mechanism to authenticate HTTP calls in your microservice.

Today, we are going to discuss another mechanism that solves the same problem: a digital signature that can be used to validate the sender identity.

The entire implementation is again available in a Github repository and it’s based on the same concept: a simple Java filter that checks all incoming calls and verifies that the computed signature is identical to the one received in headers.

More details (but it’s good to understand them) are available here, this being the library used to compute the signature.

The README file contains also a piece of code that can be used to test this functionality. Comparing to basic auth, this solution makes local testing more complicated, since the SwaggerUI becomes pretty hard to use.

How to improve current implementation:

  • Use distinct keys for each client: the authentication header contains an attribute named keyId that can be used to identify the sender. In that way, we can have distinct signing keys for each client rather than a global one that in our implementation is loaded from a configuration file.
  • Define a list of headers server-side and ignore the list sent from client. This is another mechanism to ensure call authenticity.
  • Store secrets in AWS KMS,
  • add HTTPS support to your endpoint, as it’s described here.

As always, your comments are welcome!

Happy cloud computing!