I need to centralize authentication to my rest web services and make this authentication the same for all of our webservices. So I started writing an external web service to take care about the authentication.

To keep compatibility, since the authentication was performed using a HMAC signature (signed using a private key) alongside the single request (so there is no token of any sort) I thought to make all web services to send the HMAC included inside the incoming request and the StringToSign (a representation of data used to generate the HMAC).

So the Authorization service can (knowing the private key) try to compose the same signature, if it matches then answers with 200 OK and with a JSON object saying “authorized”.

All this communication happens over HTTPS, but I’m trying to figure out what could happen if someone would intercept or modify this answer, making a 403 Forbidden to become 200 OK…

Should I use some sort of way to recognize this is the original answer? If so, what could I do?

I do agree that ssl certificates released by CA’s are secure, but how could I make sure my HTTPS layer has not been compromised allowing an attacker to modify authorization responses?

P.S. please provide some standard solution if any, I don’t want it to be related to the technology I’m using right now, since each service may use its own stack and I don’t really want it to be .NET or something else because there’s a proprietary implementation for the authentication mechanism.