Reputation: 19618
HTTP Authorization and WWW-Authenticate headers
I'm developing a REST API and now, I would like to introduce an authentication/authorization system, after a long research I decided to implement an HTTP authentication with HMAC, something very similar to the Amazon implementation. But I don't understand how the scheme works... For example Amazon makes use of a custom "AWS" scheme... is the scheme name arbitrary? (Can I define any name for it like "foo", "bar", "my_api_scheme" and so on?)
My guess is that it's possible to choose a scheme name of any type, provided that the same name is used in the WWW-Authenticate header.
So if I want to create a "my_api" scheme I would return a 401 http response with:
WWW-Authenticate: my_api realm="user.mysite.com"
and in the request:
Authorization: my_api hash_signature
Am I right or is not so simple?
Upvotes: 4
Views: 3182
Answers (1)
Reputation: 23504
Yes, what you propose is correct. You should probably base64 encode the hash_signature. You can find how the AWS authentication scheme works here.
Whether it's a good idea to write your own authentication logic is another question. I'd advise you to look into something like Hawk, which does what you want and is maintained by people who are subject matter experts.
Upvotes: 2
Related Questions
- HTTP GET with request body
- 403 Forbidden vs 401 Unauthorized HTTP responses
- How to use java.net.URLConnection to fire and handle HTTP requests
- What is the difference between POST and PUT in HTTP?
- HTTP status code for update and delete?
- How to send a header using a HTTP request through a cURL call?
- Are HTTP headers case-sensitive?
- Custom HTTP headers : naming conventions
- application/x-www-form-urlencoded or multipart/form-data?