I'm new to server authentication. I'd like a simple way to have a server Main
receive REST commands (GET, POST, etc.) from other servers (e.g., A
and B
) in a secure manner.
I read about oAuth2 and oAuth1.0a but I think having a "resource" server and refresh tokens, etc. is an overkill. The simplest two ways I could find are:
- Have servers
A
andB
generate a key pair, give the public keys to the serverMain
beforehand (or have it accessible through a/publickey
route), use digital signatures to sign a nonce every time an HTTP request goes fromA->Main
orB->Main
, and haveMain
check if the DS is correct. - Do the above, but use symmetric keys, IDs and HMACs (i.e.,
Main
knows thatA
has keyXXX
, so when it receives a request claiming it's fromA
, it'll run an HMAC on the received nonce and compare it with the received HMAC)
Please assume that all of the above is done over HTTP, so MITM is a true issue
I found the following references that point to something similar, but I'd really like an 'official' protocol, that's vetted and guaranteed to be cryptographically-sane:
- https://wiki.c2.com/?HmacUserAuthentication
- https://github.com/acquia/http-hmac-spec
- https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
CodePudding user response:
I ended up doing a modified version of Amazon AWS S3 service API authentication. This works just fine. The cost is that there's an HMAC calculated with every request, and the request body has to be used twice.