Skip to main content

A request authentication plugin implementing IETF HTTP Message Signatures

Project description

requests-http-message-signatures: A Requests auth module for HTTP Signature

requests-http-message-signatures is a Requests authentication plugin (requests.auth.AuthBase subclass) implementing the IETF HTTP Signatures draft RFC. It has no required dependencies outside the standard library. If you wish to use algorithms other than HMAC (namely, RSA and ECDSA algorithms specified in the RFC), there is an optional dependency on cryptography.

Installation

$ pip install requests-http-message-signatures

Usage

  import requests
  from requests_http_signature import HTTPSignatureAuth
  
  preshared_key_id = 'squirrel'
  preshared_secret = 'monorail_cat'
  url = 'http://example.com/path'
  
  requests.get(url, auth=HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id))

By default, only the Date header is signed (as per the RFC) for body-less requests such as GET. The Date header is set if it is absent. In addition, for requests with bodies (such as POST), the Digest header is set to the SHA256 of the request body and signed (an example of this appears in the RFC). To add other headers to the signature, pass an array of header names in the headers keyword argument.

In addition to signing messages in the client, the class method HTTPSignatureAuth.verify() can be used to verify incoming requests:

  def key_resolver(key_id, algorithm):
      return 'monorail_cat'

  HTTPSignatureAuth.verify(request, key_resolver=key_resolver)

Asymmetric key algorithms (RSA and ECDSA)

For asymmetric key algorithms, you should supply the private key as the key parameter to the HTTPSignatureAuth() constructor as bytes in the PEM format:

  with open('key.pem', 'rb') as fh:
      requests.get(url, auth=HTTPSignatureAuth(algorithm="rsa-sha256", key=fh.read(), key_id=preshared_key_id))

When verifying, the key_resolver() callback should provide the public key as bytes in the PEM format as well.

Links

Bugs

Please report bugs, issues, feature requests, etc. on our issue tracker.

License

Licensed under the terms of the Apache License, Version 2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

File details

Details for the file requests-http-message-signatures-0.3.0.dev3.tar.gz.

File metadata

File hashes

Hashes for requests-http-message-signatures-0.3.0.dev3.tar.gz
Algorithm Hash digest
SHA256 b8313f1fc35948e3b86316b744763936df9ba2b74753837c4ac22362b15bf5e7
MD5 9bfd42f1045979f583c06e7d9edd3b56
BLAKE2b-256 3bf034f938e38e5ec37c355c0d6a73c4d9847432685b3e1c6e9699ac057a90bc

See more details on using hashes here.

File details

Details for the file requests_http_message_signatures-0.3.0.dev3-py3-none-any.whl.

File metadata

File hashes

Hashes for requests_http_message_signatures-0.3.0.dev3-py3-none-any.whl
Algorithm Hash digest
SHA256 ef10bafcc9fc78ba03f86622d309c6f57a335bde8d4f94eefa4cd8fc2081b8f5
MD5 e38437ffcbba3475872896f79dde79aa
BLAKE2b-256 1c687f46c38323cbfcebefb117844e0995b5a7eba2eec73eb0e8e70e619bff54

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page