Signing HTTP Requests and Responses Dave Tonge, OAuth Security - - PowerPoint PPT Presentation

signing http requests and responses
SMART_READER_LITE
LIVE PREVIEW

Signing HTTP Requests and Responses Dave Tonge, OAuth Security - - PowerPoint PPT Presentation

Aug 14, 2022 308 likes •370 views

Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case: Non-repudiation for backend JSON API calls Example 1: A payment request sent as a JSON payload to an API endpoint Example 2: A JSON API response from

slide-1
SLIDE 1

Signing HTTP Requests and Responses

Dave Tonge, OAuth Security Workshop 2019

slide-2
SLIDE 2

Use case: Non-repudiation for backend JSON API calls

slide-3
SLIDE 3

Example 1: A payment request sent as a JSON payload to an API endpoint Example 2: A JSON API response from a bank containing the financial information.

slide-4
SLIDE 4
  • 1. Just use a JWT (maybe with

content-negotiation)

  • 2. Detached JWT (RFC7515 appendix-F)
  • 3. Detached JWT unencoded payload (RFC7797)
  • 4. Unencoded JWS JSON Serialization (RFC7797)
  • 5. Draft-Cavage-HTTP-Signing combined with

RFC7235 (Auth header) and RFC3230 (Digests)

  • 6. JSON Canonicalisation + SHREQ
slide-5
SLIDE 5

Scheme Self- Contrained Human Readable Deals with accidental body corruption Deals with accidental header corruption Uses JOSE JWT Detached JWT Detached Unencoded Unencoded JSON Serialisation Draft Cavage JCS + SHREQ

Core Hubs:
All Converters PDF Hub Video Hub Audio Hub Image Hub File Compressor