Skip to content

Consider supporting RFC 9421 HTTP Message Signatures #18502

New issue
New issue
Open
Open
Consider supporting RFC 9421 HTTP Message Signatures#18502
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement
@ziqin

Description

@ziqin
ziqin
opened on Jan 15, 2026

Expected Behavior

RFC 9421 HTTP Message Signatures defines a standard mechanism to create and verify digital signature or MAC at HTTP message level. It could be useful when people want to design a system with webhooks without mTLS.

Spring Security could consider adding RFC 9421 support for both servers and clients:

  • For servers:
    • Implement RFC 9421 signature verification as a new authentication mechanism
    • Provide abstractions for signature credentials management
  • For clients: Provide RestClient interceptor and WebClient filter function to create RFC 9421 signature

Current Behavior

Currently, Spring Security doesn't support RFC 9421.

Context

The adoption of RFC 9421 is still emerging. Existing popular webhook-supporting platforms such as GitHub define their ad-hoc webhook signature verification mechanism. If Spring Security as a popular framework supported RFC 9421, it could promote the adoption of this shared standard mechanism.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions