KONG HMAC body validation always return 403 HMAC signature does not match


Hi there,

I’ve been using this great application for a while.

This is my first time using Kong HMAC-Auth plugin. I’m facing some issue regarding HMAC-Auth plugin. I want to validate request body through Kong HMAC-Auth but it always return 403 “HMAC signature does not match”.

Step to reproduce

Create a service

curl -X POST
-H ‘Content-Type: application/json’
-d ‘{
“name”: “submit-order”,
“url”: “localhost:8800/v1/rdo/order/subscription”

Create a route

curl -X POST
-H ‘Content-Type: application/json’
-d ‘{
“methods”: [“POST”],
“paths”: ["/rdo/order/subscription"],
“service”: {“id”:“f6a4877f-c414-4c82-b06e-ed3f1275887e”}

Enabling plugin

curl -X POST localhost:8001/services/submit-order/plugins
–data “name=hmac-auth”
–data “config.enforce_headers=date, request-line”
–data “config.validate_request_body=true”
–data “config.algorithms=hmac-sha256”

Create a consumer

curl -d “username=BPI69&custom_id=BPI69” localhost:8001/consumers/

Create a credentials

curl -X POST localhost:8001/consumers/BPI69/hmac-auth
–data “username=BPI69”
–data “secret=secret123”

Here’s how i build the signature and digest (using PHP)

$date = gmdate(‘D, d M Y H:i:s T’);
$string = "date: " . $date . “\nPOST /rdo/order/subscription HTTP/1.1”;
$signature = base64_encode(hash_hmac(“sha256”, $string, “secret123”, true));
$body = “A small body”;
$digest = base64_encode(hash(“sha256”, $body, true));

Curl to Kong route

$ch = curl_init();
$config = [
CURLOPT_URL => ‘localhost:8000/rdo/order/subscription’,
curl_setopt_array($ch, $config);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
‘Content-Type: text/plain’,
'Date: ’ . $date,
‘Digest: ’ . ‘SHA-256=’ . $digest,
‘Authorization: ’ . ‘hmac username=“BPI69”, algorithm=“hmac-sha256”, headers=“date request-line digest”, signature="’.$signature.’"’

The result is always 403 “HMAC signature does not match”. However if i don’t validate the body (Digest) all working fine.

I’m using Kong 0.13.x running on docker


I don’t see you included digest in signature

$string = "date: " . $date . “\nPOST /rdo/order/subscription HTTP/1.1”;