In the ServiceStack.Webhooks project, if a subscribers' callback wants to be secured, then a subscriber registers a 'secret' in their webhook subscription. (following the GitHub webhooks pattern).
When events are published to them, the request includes a HMAC signature (using the secret as the key) in the headers (X-Hub-Signature).
A subscriber is then required to check the signature against their secret and the payload to authenticate the publisher of the event. Pretty standard web security stuff.Github Description
What I wanted to know is if there is anything in ServiceStack universe right now that would make implementing this easier?
HMACAuthProvider of some kind. I know there are some crypto extension methods in ServiceStack we can use to calculate signatures perhaps. Is there anything else? Or suggested approaches to make this easier?
Please see docs for all available Auth Providers, there is no HMAC AuthProvider but I don't expect it would be reusable outside its intended User Authentication if there was.
Clients can use the Encrypted Messaging Feature if they want message-level encryption for calling Services using the Encrypted Service Client.
Otherwise the built-in encryption features in ServiceStack utilize the generic primitives in CryptUtils, e.g. they contain HmacUtils for signing and verifying arbitrary bytes using AES Crypt/Auth keys.