StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHTTP Request signature without session
text
Body
copied!<p>I am thinking of a rest web service that ensure for every request sent to him that :</p> <ul> <li>The request was generated by the user who claim it ;</li> <li>The request has not been modified by someone else (uri/method/content/date);</li> <li>For GET requests, it should be possible to generate a URI with enough information in it to check the signature and set a date of expiration. That way a user can delegate temporary READ permissions to a collaborator for a limited time period on a ressource with a generated URI.</li> </ul> <p>Clients are authenticated with id and a content-signature based on their password.</p> <p><strong>There should be no session at all, and so server state ! The server and the client share a secret key (a password)</strong></p> <p>After thinking about it and talking with some really nice folks, it seems there is no rest service existing to do that as simple as it should be for my use case. (HTTP Digest and OAuth can do this with server state and are very chatty)</p> <p><strong>So I Imagined one, and I'm asking your greats comments on how it should be designed (I will release it OpenSource and Hope it can help others).</strong></p> <p>The service use a custom "Content-signature" header to store credentials. An authenticated request should contains this header :</p> <pre><code>Content-signature: <METHOD>-<USERID>-<SIGNATURE> <METHOD> is the sign method used, in our case SRAS. <USERID> stands for the user ID mentioned earlier. <SIGNATURE> = SHA2(SHA2(<PASSWORD>):SHA2(<REQUEST_HASH>)); <REQUEST_HASH> = <HTTP_METHOD>\n <HTTP_URI>\n <REQUEST_DATE>\n <BODY_CONTENT>; </code></pre> <p>A request is invalidated 10 minutes after it has been created.</p> <p>For example a typical HTTP REQUEST would be :</p> <pre><code>POST /ressource HTTP/1.1 Host: www.elphia.fr Date: Sun, 06 Nov 1994 08:49:37 GMT Content-signature: SRAS-62ABCD651FD52614BC42FD-760FA9826BC654BC42FD { test: "yes" } </code></pre> <p>The server will answer :</p> <pre><code>401 Unauthorized </code></pre> <p>OR</p> <pre><code>200 OK </code></pre> <p>Variables would be :</p> <pre><code><USERID> = 62ABCD651FD52614BC42FD <REQUEST_HASH> = POST\n /ressource\n Sun, 06 Nov 1994 08:49:37 GMT\n { test: "yes" }\n </code></pre> <p><strong>URI Parameters</strong></p> <p>Some parameters can be added to the URI (they overload the headers informations) :</p> <ul> <li>_sras.content-signature=<METHOD>-<USERID>-<SIGNATURE> : PUT the credentials in the URI, not in the HTTP header. This allow a user to share a signed request ;</li> <li>_sras.date=Sun, 06 Nov 1994 08:49:37 GMT (request date*) : The date when the request was created.</li> <li>_sras.expires=Sun, 06 Nov 1994 08:49:37 GMT (expire date*) : Tell the server the request should not expire before the specified date</li> </ul> <p>*date format : <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18" rel="noreferrer">http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18</a></p> <p>Thanks for your comments.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload