HMAC Authentication

Topics: ASP.NET Web API
May 26, 2012 at 5:49 PM

I am curious if there are any plans or interest in supporting an HMAC based authentication scheme with WebApi.  I created an HttpModule that implements HMAC in a manner similar to what Amazon S3 does that I could contribute back or create a separate codeplex project for.  The only challenge with this might be integrating it with ASP.NET forms authentication design which is based on authenticating users.  With HMAC, you are authenticating access by verifying the signature generated by the client using a shared secret key.  In this case, the client is typically a service which isn't necessarily making calls on behalf of a given user.  You can of course treat the caller as a user using GenericPrincipal/GenericIdentity, but it doesn't seem ideal.  Thoughts?

May 29, 2012 at 6:21 PM

I think it is OK to model the caller identity as a principal (a principal is a more generic term than 'user').

For Web API you should implement that as a message handler, since this is hosting independent (as opposed to a HTTP module).

Have a look here:

https://github.com/thinktecture/Thinktecture.IdentityModel.Http

and

http://leastprivilege.com/2012/05/26/thinktecture-identitymodel-and-asp-net-web-api/