All the web services available in the SKFS APIs accept an HMAC authentication scheme. Currently, HMAC-based authentication in the FIDO Server is available, but HMAC authorization is not yet implemented. The credential (secret key/access key) must be stored by the calling application, which uses it to calculate HMAC and send it as part of the authorization header.

     Follow the steps below to create the authorization header:

1. Create the request body with the required parameters. For example:

   {
     "svcinfo": {
       "did": 1,
       "protocol": "FIDO2_0",
       "authtype": "HMAC"
     },
     "payload": {
       "username": "johndoe",
       "displayname": "Initial Registration",
       "options": {
         "attestation": "direct"
       },
       "extensions": "{}"
     }
   }

2. Calculate the sha256 digest of the body and then base64 encode the value. The base64 body digest is:

   sspvPRwaaKt+OBh8DudEADNV00r/tPO1h2Y2gDxet34=

3. Calculate HMAC over the concatenation of the following parameters:

   HTTP Method + "\n" +
   base64 body hash + "\n" +
   contentType/mimetype + "\n" +
   Current Date + "\n" +
   api version + "\n" +
   HTTP URI

   Example request to HMAC:

   “POST
   sspvPRwaaKt+OBh8DudEADNV00r/tPO1h2Y2gDxet34=
   application/json
   Wed, 25 Sep 2019 18:12:30 PDT
   SK3_0
   /skfs/rest/preregister”

4. Once the HMAC is calculated, add the following headers to the request:

   Authorization: HMAC [access key]:[HMAC]
   strongkey-content-sha256: [base64 encoded sha256 digest of the request body]
   Date: [Date used in request to HMAC]
   strongkey-api-version: SK3_0

   Example headers:

   Authorization: HMAC 162a5684336fa6e7:3dlT0yJD0zJoSo+2bBu0ANbZBDPhNZTHpX1Uyc1tWlg=
   strongkey-content-sha256: sspvPRwaaKt+OBh8DudEADNV00r/tPO1h2Y2gDxet34=
   Date: Tue, 7 Sep 2021 13:21:01 EDT
   strongkey-api-version: SK3_0