WAI HMAC Authentication Middleware and Client
HMAC Authentication Middleware for WAI with supporting client module. Supports SHA512, SHA256, SHA1, and MD5 request signatures.
This HMAC Authentication implementation is based on the Amazon AWS Authentication scheme. See the Specification section for more details
These packages are still experimental
Client
A client module resides in client/. The client is built on http-client and has one primary function, applyHmacAuth, which is similar to http-client’s applyBasicAuth. There are redundancies between the middleware and client in order to keep a minimum dependency profile on both components.
Example
# Run Example Server
$ cabal run example
# Fail auth
$ curl localhost:3000
# Use client module for successful auth
cd client/ && cabal run example
Issues
Feel free to submit issues on the issues:Issue Tracker
Specification
There is no official specification for utilizing HMAC Authentication over HTTP. This implementation loosely follows the implementation used by Amazon AWS.
Most implementations support HEADER values or QUERY parameters. This implementation currently only supports HEADER values, although, QUERY parameter support is in the works.
Query parameters support encoding URL’s which can then be shared as opposed to needing a specific client that can encode the request headers.
Resources
Negotiation:
- Client constructs a request to the server.
- Client calculates a keyed-hash message authentication code (HMAC-SHA) signature using your Secret Access Key (for information about HMAC, go to http://www.faqs.org/rfcs/rfc2104.html).
- Client includes the signature and their access key in the request, and then sends the request to the server.
- Server uses the access key to look up the secret key.
- Server generates a signature from the request data and the secret key using the same algorithm the client used to calculate the signature.
- If the signature generated by the Server matches the one Client sent in the request, the request is considered authentic. If the comparison fails, the request is discarded, and AWS returns an error response.
Wishlist
- [ ] Streaming (http-conduit) support in client
- [ ] Read server and client settings from config file or env
- [ ] Query parameter configuration
- [ ] Signing algorithm negotiation
- [ ] Authentication timeout setting
- [ ] Signed headers settings (HTTP headers to include in HMAC signature)
- [ ] Configure acceptable date skew
- [ ] Canonicalize query string with resource