Menu
If all api calls are sent through https, does HMAC add any extra security? For example, in oauth 2, the client sends its secret key to the provider without any hashing whatsoever. Is this considered secure because it's over https? While not strictly oauth, would using HMAC on this call make oauth 2 more secure? If so, why isn't that a standard part of oauth 2?
949
Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.
Introduction. HMAC (hash-based message authentication code) is used to verify that a request is coming from an expected source and that the request has not been tampered with in transit.
Setting up HMAC using the DashboardScroll to the Authentication options. Select HMAC (Signed Authetication Key) from the drop-down list. Configure your HMAC Request Signing settings. Select Strip Authorization Data to strip any authorization data from your API requests.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
The OAuth 2 standard requires that the authorization server MUST use HTTPS on all of its endpoints and the client SHOULD use a callback protected with HTTPS. Since message contents (headers, query parameters and fragments considering OAuth) are known only by the server and the client, usage of an HTTPS connection is considered to be safe. Thus there's no gain using a separate signature for authorization request, that's why such signatures are not even mentioned in the standard.
This not necessarily hold for the response though. If the client receives the authorization response to an unprotected callback, then it cannot verify its validity. In such cases, an attacker can send arbitrary authorization results to the client. Adding a signature with the callback parameters, you may avoid this. However, it seems to be a better solution to use mutual client/server authentication with a HTTPS callback instead.
While there's no real gain using signatures during authorization, they may be useful to access protected resources to avoid stealing access tokens. This is why the MAC token type is in the standard, see section 7.1.
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
