Generating Dynamic Signatures for API Authentication With Insomnia
Earlier this year, we hosted our inaugural Kong Summit Hackathon. This virtual competition engaged our open source community and offered recognition and prizes for hacks in various categories. The community delivered with ingenious plugins, hacks and documentation.
In this blog post, we highlight our Insomnia plugin winner, Scott Harwell. Scott works with many hyperscalar cloud infrastructure vendors. He enjoys contributing to open source projects, especially where there is an opportunity to automate challenging IT or business tasks. See Scott's plugin on GitHub, and look into his thought process for creating this plugin below.
A fast, flexible and open source API client for testing HTTP requests
Authenticate API requests across different cloud providers
Insomnia was the obvious choice for the first requirement. It's open source and has all the features I needed to build complex testing workflows with dynamic variables, request/response inspection and extraction, and device syncing.
OCI Request Signature Plugin Requirements
Out-of-the-box support for API client authentication methods can vary depending on the integrated public cloud. Insomnia makes it easy to add more authentication methods.
In my case, I was experimenting with Oracle Cloud Infrastructure (OCI). Like other clouds, the OCI REST API requests use a calculated signature for authentication unique to that service. A plugin to generate the OCI-specific signature in Insomnia did not exist. That led me to create one so that I could use Insomnia to integrate with OCI REST APIs.
Going into the development of the plugin, I set a few more requirements for myself. First, I wanted the user (me!) to enter as little data as possible when using the plugin, and I wanted to enter data once to set it and forget it.
I also wanted to take advantage of Insomnia's features to make the plugin as powerful and flexible as possible, such as using dynamic variables so that environments would allow me to switch between OCI compartments or tenancies with a setting or toggle.
Lastly, I wanted the plugin to be open source so that the Insomnia community could take what I built and grow it beyond any use case specific to me.
Writing My Insomnia Plugin
I began by looking through the plugin documentation to understand the types of plugins that Insomnia supported and which would best fit the use case that I wanted to solve. Others already published several open source plugins to GitHub, so my next exercise was to review some existing code to see how Kong's developers write plugins for Insomnia. I referenced the UUID plugin for generating template tags, the base64 plugin for changing values and the request plugin to understand dynamically changing requests before sending them to the remote endpoint. Once I felt comfortable with the reference material and resources available to me, I started writing!
I achieved my first objective by creating a configuration screen that allows users to input the various requirements for the API signature; enter your OCI tenancy data and the path to the private key on your computer, and the plugin is set to run. After the first time configuring the plugin entry, you can copy and paste it from request to request—it copies the variables too. That way, it requires very little configuration after the first use of the plugin.
I found that Insomnia's publishing mechanism through NPM made it extremely easy to distribute the plugin. I can publish any update to GitHub, and my CI/CD pipeline tests, packages and deploys the new version for any Insomnia user to leverage.
The development process for this plugin was frictionless and fast, and I went from idea to solution in my spare time over a few days. Now, any user that wants to use Insomnia with OCI REST APIs can authenticate their requests with minimal effort! Enjoy the plugin, and please feel free to provide any feedback or pull requests through GitHub.