Implementing security measures in order to prevent the possible attacks is a need in using enterprise software. Keyed-Hash Message Authentication Code (HMAC) validation is such measure which involved a cryptographic hash function and used to verify both the data integrity and authentication of a Message as with any Message Authentication code. In this tutorial you will use the HMAC to validate the OAuth tokens created in WSO2 API Manager and and WSO2 Identity Server.
Table of Contents
Preventing miss-use of OAuth Tokens
...
If an attacker uses random tokens to send API requests, API Manager will try to verify the token and it will hit through the critical path of verification. This is a costly transaction and it can cause high latencies and instability in API Manager clusters. Implementation of this particular solution is done using extensions developed for standard extension points of WSO2 API Manager and WSO2 Identity Server.
WSO2 IS Extension - OAuth Token Generator Extension
Engage the HMAC OAuth handler in order to do the Keyed-Hash Message Authentication Code (HMAC) validation by adding following into <IS_HOME>/repository/conf/identity/identity.xml
Code Block |
---|
<IdentityOAuthTokenGenerator>com.sample.lahiru.wso2.hmac.oauth</IdentityOAuthTokenGenerator> |
Info |
---|
More information on developing OAuth token generator extensions here. Code for this particular solution can be found in oauth-hmac-extension GitHub repository. |
This extension is responsible for enhancing the OAuth token with HMAC(Hash-based Message Authentication Code), so that above mentioned attacks will be less effective. Following two parts will be added to the token in addition to the default token created in WSO2 IS.
...