Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HMAC Authenticator #936

Closed
5 of 6 tasks
jnodorp-jaconi opened this issue Mar 14, 2022 · 1 comment
Closed
5 of 6 tasks

HMAC Authenticator #936

jnodorp-jaconi opened this issue Mar 14, 2022 · 1 comment
Labels
rfc A request for comments to discuss and share ideas.

Comments

@jnodorp-jaconi
Copy link
Contributor

jnodorp-jaconi commented Mar 14, 2022
edited
Loading

Preflight checklist

Context and scope

We want to place a service that uses HMAC signed tokens for authentication behind Oathkeeper. HMAC signed tokens works similar to JWT, but use a shared key instead of public key cryptography. I suggest adding an additional authenticator supporting HMAC signed tokens.

Goals and non-goals

HMAC signed tokens are not standardized. The initial implementation should provide some flexibility to support the most common configurations. However, more complex configurations should only be added if explicitly requested, keeping the code as simple as possible. For example: different hashing algorithms and different names for the expiration field are common, while non JSON payload formats are not.

The design

A new HMAC authenticator has to be added. The HMAC authenticator accepts tokens of the following format:

base64(<payload>.base64(hmac(<algorithm>, <payload>, <key>)))

If the payload is JSON formatted, the authenticator can optionally extract (and validate) an expiration timestamp from the payload.

The authenticator configuration should look like this:

algorithm: SHA-256 # the hash algorithm to use (for example, SHA-256)
key: s3cr3t # the shared secret
expiration_from: exp # the JSON payload field containing the expiration as UNIX millis
token_from: # same as for other authenticators

APIs

No response

Data storage

No response

Code and pseudo-code

Draft: https://github.com/ory/oathkeeper/compare/master...jaconi-io:hmac?expand=1

Degree of constraint

The new HMAC authenticator should be implemented the same way other authenticators are already implemented in Oathkeeper.

Alternatives considered

We built a custom OAuth 2.0 Token Introspection endpoint and used the oauth2_introspection authenticator to validate our HMAC signed tokens. However, the additional network roundtrip (and the respective performance impact) could be avoided when adding support for HMAC signed tokens to Oathkeeper.
@jnodorp-jaconi jnodorp-jaconi added the rfc A request for comments to discuss and share ideas. label Mar 14, 2022
@aeneasr
Copy link
Member

aeneasr commented Apr 11, 2022

Thank you for the request. Unfortunately, we can't accept non-standardized methods in Ory Oathkeeper. If we do, we would end up with a lot of different mechanisms for authentication, some of them with potentially very severe security flaws. If you use non-standardized tokens, please consider using the bearer_token or the soon to be released request forwarding authenticator: #949

Thank you for your understanding!

@aeneasr aeneasr closed this as completed Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rfc A request for comments to discuss and share ideas.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @jnodorp-jaconi