HMAC AuthProvider for Webhooks

In the ServiceStack.Webhooks project, if a subscribers’ callback wants to be secured, then a subscriber registers a ‘secret’ in their webhook subscription. (following the GitHub webhooks pattern).

When events are published to them, the request includes a HMAC signature (using the secret as the key) in the headers (X-Hub-Signature).
A subscriber is then required to check the signature against their secret and the payload to authenticate the publisher of the event. Pretty standard web security stuff.Github Description

What I wanted to know is if there is anything in ServiceStack universe right now that would make implementing this easier?

Ideally a HMACAuthProvider of some kind. I know there are some crypto extension methods in ServiceStack we can use to calculate signatures perhaps. Is there anything else? Or suggested approaches to make this easier?

1 Like

Please see docs for all available Auth Providers, there is no HMAC AuthProvider but I don’t expect it would be reusable outside its intended User Authentication if there was.

Clients can use the Encrypted Messaging Feature if they want message-level encryption for calling Services using the Encrypted Service Client.

Otherwise the built-in encryption features in ServiceStack utilize the generic primitives in CryptUtils, e.g. they contain HmacUtils for signing and verifying arbitrary bytes using AES Crypt/Auth keys.