Support for HTTP Signatures
jricher opened this issue · 0 comments
Support for the HTTP Message Signatures draft specification would require the specification of the algorithms, key types, and required covered content for a signature. The following examples show what a possible syntax could look like for the new OAS security model proposed in OAI/OpenAPI-Specification#2582.
This example shows how it could be defined for an example API requiring signed requests with an RSA PSS signature and the caller's key identifier and a set of required components on the request including the method, url, and several headers.
components:
securitySchemes:
photoApi:
type: httpsig
credentials:
- in: header
name: signature-input
- in: header
name: signature
config:
- alg: rsa-pss-sha512
keyid: <your key id here>
coveredComponents:
- @method
- content-digest
- content-type
- target-uri
requiredParameters:
- nonce
- createdAs I'm not sure how to show placeholder values, I'm using things like <your key id> here.
As a corrollary, it would be useful to specify the algorithm and use of digest headers like Content-Digest, which protects the body, and Client-Cert, which contains the TLS client certificate.
This proposed syntax is just one possible idea, and I'm looking for feedback on how this could be made to fit the OAS model better.
Addresses #6