Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, we are phasing out an API gateway that did authentication using HMAC signed tokens.

We initially tried to replace the token validation with Oathkeepers `oauth2_introspection` handler calling a custom token introspection endpoint. However, the added latency and load was too much, despite caching.

I have now built HMAC token validation directly into Oathkeeper as an additional authenticator. Is this something you'd consider adding? Just want to make sure before making additional efforts (design document, PR, ...).

Hi <@U02R6JS400G>

This sounds quite cool! I think create an issue so that you can discuss the details of your implementation there before creating a PR.

Wrote some brief design doc: <https://github.com/ory/oathkeeper/issues/936>