Implement request signing

[llucax]

What's needed?

Services will soon start require requests to be signed, so client should be able to do this signing.

Proposed solution

Implement signing requests somehow in ApiClientBase or utility functions/classes like GrpcStreamBroadcaster or call_stub_method. Ideally signing should be as transparent as possible to client implementers.

Signing works as follows:

Signature parts

The following request parts are used to generate the signature:

• The user's API key (Metadata key: key)
• The user's secret must be provided to the client, loaded from a file, env vars, etc.
• The timestamp that the client sent the request (Metadata key: ts)
• A one-time cryptographic random number called "nonce" generated for each request by the client (Metadata key: nonce)
• The name of the requested gRPC method.
• The serialized message body.

The signature is stored in the metadata key sig.

Algorithm

The algorithm uses HMAC with SHA-256 as the hashing algorithm. The resulting signature is encoded using URL-safe base64 without padding.

The algorithm can be outlined in pseudocode as follows:

hmac = Hmac(Sha256)
hmac.update(key)
hmac.update(secret)
hmac.update(ts)
hmac.update(nonce)
hmac.update(rpc_method)
hmac.update(msg_body)
signature = hmac.finalize()
encoded_sig = base64.url_safe_no_pad(signature)

Resources

• Authentication Extension example for Google's grpc