How can i create the hmac-auth signature


I am trying to configure hmac-auth plugin in kong, i have tried so many time to create signature but every time when i hit the request through postman i got the error " message": “HMAC signature does not match”"

please let me know the proper steps to configure and to generate the signature




You can find an example in the docs, here’s the relevant bit:

In the above request, we are composing the signing string using the date and request-line headers and creating the digest using the hmac-sha256 to hash the digest:

  signing_string="date: Thu, 22 Jun 2017 17:15:21 GMT\nGET /requests HTTP/1.1"
  digest=HMAC-SHA256(<signing_string>, "secret")


what i am doing is,

  1. let us suppose today’s date and time is (Mon, 01 Apr 2019 17:15:21 GMT)
    taking signing string as “date: Mon, 01 Apr 2019 17:15:21 GMT\nGET /requests HTTP/1.1”

  2. creating digest through through hmac-sha256 algorithm with secret “secret456”



3.creating base64_digest of (ca9eaa377b3a77a0457c9093562e83e2032bdf6261ae00b81cc6d05b58273db6)
through i.e - > Y2E5ZWFhMzc3YjNhNzdhMDQ1N2M5MDkzNTYyZTgzZTIwMzJiZGY2MjYxYWUwMGI4MWNjNmQwNWI1ODI3M2RiNg==

  1. Test the hmac through postman with below authorization header

Authorization: hmac username=“bob”, algorithm=“hmac-sha256”, headers=“date, request-line”, signature="Y2E5ZWFhMzc3YjNhNzdhMDQ1N2M5MDkzNTYyZTgzZTIwMzJiZGY2MjYxYWUwMGI4MWNjNmQwNWI1ODI3M2RiNg==

X-Date(header) :- Mon, 01 Apr 2019 17:15:21 GMT

The Plugin parameters are
enforce_header=date, request-line
algorithms :- hmac-sha256

The error i get is : “message”: “HMAC signature cannot be verified”

Please let me know , am i following the right process. if no than please mention the right one