HMAC Auth: Enforce headers, body validation, and HMAC digest algorithms - Plugin

Enforce headers, body validation, and HMAC digest algorithms

Enforces headers that the client should use during HTTP signature creation, as well as body validation. Specifies that the hmac-sha1 and hmac-sha256 algorithms should be used to hash the digest.

Prerequisites

You have created a Consumer with HMAC credentials

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: hmac-auth
    config:
      enforce_headers:
      - date
      - "@request-target"
      algorithms:
      - hmac-sha1
      - hmac-sha256
      validate_request_body: true

      
        
      
    
Copied to clipboard!

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: hmac-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  enforce_headers:
  - date
  - '@request-target'
  algorithms:
  - hmac-sha1
  - hmac-sha256
  validate_request_body: true
plugin: hmac-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_hmac_auth" "my_hmac_auth" {
  enabled = true

  config = {
    enforce_headers = ["date", "@request-target"]
    algorithms = ["hmac-sha1", "hmac-sha256"]
    validate_request_body = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied to clipboard!

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: hmac-auth
    service: serviceName|Id
    config:
      enforce_headers:
      - date
      - "@request-target"
      algorithms:
      - hmac-sha1
      - hmac-sha256
      validate_request_body: true

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: hmac-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  enforce_headers:
  - date
  - '@request-target'
  algorithms:
  - hmac-sha1
  - hmac-sha256
  validate_request_body: true
plugin: hmac-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=hmac-auth

Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_hmac_auth" "my_hmac_auth" {
  enabled = true

  config = {
    enforce_headers = ["date", "@request-target"]
    algorithms = ["hmac-sha1", "hmac-sha256"]
    validate_request_body = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

      
        
      
    
Copied to clipboard!

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: hmac-auth
    route: routeName|Id
    config:
      enforce_headers:
      - date
      - "@request-target"
      algorithms:
      - hmac-sha1
      - hmac-sha256
      validate_request_body: true

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "hmac-auth",
      "config": {
        "enforce_headers": [
          "date",
          "@request-target"
        ],
        "algorithms": [
          "hmac-sha1",
          "hmac-sha256"
        ],
        "validate_request_body": true
      }
    }
    '

      
        
      
    
Copied to clipboard!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: hmac-auth
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  enforce_headers:
  - date
  - '@request-target'
  algorithms:
  - hmac-sha1
  - hmac-sha256
  validate_request_body: true
plugin: hmac-auth
" | kubectl apply -f -

      
        
      
    
Copied to clipboard!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=hmac-auth

Copied to clipboard!

kubectl annotate -n kong ingress  konghq.com/plugins=hmac-auth

Copied to clipboard!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

      
        
      
    
Copied to clipboard!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_hmac_auth" "my_hmac_auth" {
  enabled = true

  config = {
    enforce_headers = ["date", "@request-target"]
    algorithms = ["hmac-sha1", "hmac-sha256"]
    validate_request_body = true
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

      
        
      
    
Copied to clipboard!

HMAC Auth

Enforce headers, body validation, and HMAC digest algorithms

Prerequisites

Set up the plugin

Did this doc help?

Help us make these docs great!

Still need help