Enabling HMAC authentication with Anypoint Platform

  • Written By Vineet Shukla
  • 31/03/2020

There are many applications that use HMAC-based authentication (for example Microsoft Teams’ chat bot). This blog explains how to create a reusable custom policy with MuleSoft Anypoint Platform in order to authenticate requests from applications using HMAC authentication.

[HMAC is a specific type of message authentication code. The client sends the HMAC original message (not encrypted) along with the hash. The server side receives the message and, using the secret token of the server, hashes the message to compare it with the received hash. If there is a match, then the authentication passes; if not, the authentication is declined.]

Steps to create a reusable custom policy for HMAC authentication:

  • Create a YAML config file using the secret token as the input parameter
YAML config file
  • Create a Policy config XML file with the sample groovy script* shown in the image below, to take the input token (refer to step 1) to hash the incoming message for the HMAC authentication. 

*the sample groovy script needs to be added to the ‘before’ section of the policy xml file.

Policy config xml file

In this stage you can also specify message filters to apply if the inbound hash is null or not equal to the generated hash. The filters can refer to the processor chains which need to be defined outside the ‘before’ section of the policy.

  • Now we have the YAML config and XML Policy config ready to be imported in the API Manager. Click on Custom Policies and then click on the Add Custom Policy button.
Custom policy
  • Choose the policy ‘runtimes older than Mule4’ (for Mule 4-based policies keep any eye out for our next blog). Provide the ‘Name’ of the policy and the file locations for YAML and Policy XML.
Add custom policy
  • Now go to your Mule application/proxy and attach the custom policy you created. You should have an application to which to attach the policy, which is now visible in the Select Policy list.
Attach custom policy
  • Now go to your Mule application/proxy and attach the custom policy you created. You should have an application to which to attach the policy, which is now visible in the Select Policy list.
    • Click on Configure Policy
    • Specify the secret token (auth token) received from the client app
    • The policy is applied

Now the HMAC-based client application can now test our Mule application to which we attached the policy.

If you would like to find out more about Anypoint Platform and how to enable HMAC authentication, we can help. Give us a call or email us at marketing@whishworks.com.

Other useful links:

How APIs can modernise legacy systems

MuleSoft Application Delivery

API Recipes with MuleSoft Anypoint Platform

Latest Insights

Salesforce CRM for the public sector
Blogs

CRM for Citizen Relationship Management

While the times have been changing for a while, current events have accelerated the need for public agencies to adapt to a changing world.

Open banking APIs
Blogs

Open Banking – How APIs are fast-tracking growth

When it comes to reaching market faster and scaling with both speed and stability, APIs have been a crucial component of many Fintechs.

Big Data Investment Drivers
Blogs

Key drivers of Big Data investment in 2020

Since 2019, key developments such as COVID-19 have influenced investment trends in Big Data. Drawing on insights from WHISHWORKS’ Big Data Report 2020 we outline the key drivers of investment in Big Data this year.