I'm new to server authentication. I'd like a simple way to have a server Main receive REST commands (GET, POST, etc.) from other servers (e.g., A and B) in a secure manner.

I read about oAuth2 and oAuth1.0a but I think having a "resource" server and refresh tokens, etc. is an overkill. The simplest two ways I could find are:

• Have servers A and B generate a key pair, give the public keys to the server Main beforehand (or have it accessible through a /publickey route), use digital signatures to sign a nonce every time an HTTP request goes from A->Main or B->Main, and have Main check if the DS is correct.
• Do the above, but use symmetric keys, IDs and HMACs (i.e., Main knows that A has key XXX, so when it receives a request claiming it's from A, it'll run an HMAC on the received nonce and compare it with the received HMAC)

Please assume that all of the above is done over HTTP, so MITM is a true issue

I found the following references that point to something similar, but I'd really like an 'official' protocol, that's vetted and guaranteed to be cryptographically-sane:

• https://wiki.c2.com/?HmacUserAuthentication
• https://github.com/acquia/http-hmac-spec
• https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html

CodePudding user response：

I ended up doing a modified version of Amazon AWS S3 service API authentication. This works just fine. The cost is that there's an HMAC calculated with every request, and the request body has to be used twice.