Forum Discussion

stevendesu's avatar
3 years ago

How to define a secret key / signature based security scheme?

Skimming the Swagger documentation for authentication / authorization schemes in OAS 3.0, I don't see a clear way to define my API as utilizing signature-based authentication.


I have an API where all requests must be passed two properties: `api_key` (which uniquely defines the user) and `signature` (which is computed using the request path, query string, and a secret key). The server keeps a copy of their secret key and generates the same signature using the same process, then compares the two signatures. This way unlike API key auth (where the full authentication credentials are passed over the internet, hopefully secured by HTTPS) there is never enough information passed for a man-in-the-middle to trivially forge requests (other than replay attacks using the exact same request).


I feel like signature-based authentication isn't so rare as to be excluded from the OpenAPI specification. AWS uses signature-based authentication for almost all of their services! Is there a way to define this as a security scheme? Or is this a missing feature from the spec?

No RepliesBe the first to reply