This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Anyone Integrated HAWK Authentication with Apigee Edge API Proxy ?

Posted on 06-28-2016 12:30 AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

Looking for sample API Proxy for Hawk authentication, Any help is appreciated.

PS: Posted on behalf of @Sarvana kumar rajagopal

1 1 331
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I haven't used HAWK but here is a Github repo that does Http Signature and, separately, HMAC.

I have used the Http Signature along with a simple SHA256 Digest of the payload. The way it works:

  • client computes sha256 of the UTF-8 encoding of the payload, inserts a header called 'digest'
  • client uses ['(request-target)', 'date', 'digest'] as the headers to sign, uses client_secret to compute HMAC-256
  • client sends request containing Authorization header with HTTP Signature, plus Digest header containing message digest
  • Server (Apigee Edge proxy) verifies and validates the signature
  • Server verifies and validates the digest

Computing and verifying the digest (unkeyed MAC, aka Hash) on the server is handled by a separate callout. Putting it all together, the flow looks like this: 

<PreFlow>
  <Request>
    <Step>
      <Name>RF-MissingAuthzHeader</Name>
      <Condition>request.header.authorization = null</Condition>
    </Step>
    <Step>
      <Name>Java-ParseHttpSignature</Name>
    </Step>
    <Step>
      <Name>VerifyApiKey-1</Name>
    </Step>
    <Step>
      <Name>Java-VerifyHttpSignature</Name>
    </Step>
    <Step>
      <Name>Extract-Digest-SHA256</Name>
    </Step>
    <Step>
      <Name>Java-VerifyHash-SHA256</Name>
    </Step>
    <Step>
      <Name>AM-InjectRequestHeaders</Name>
    </Step>
  </Request>
</PreFlow>
Top Solution Authors
View all