Technical Description: RabbitMQ HMAC Authentication

Overview

This Python code implements an HMAC-based authentication mechanism for connecting to RabbitMQ, following a process similar to the DaVinciNT API authentication described in the reference documentation.

Authentication Flow

Authorization Header Generation: The code generates an authorization header using a signature created with a secret key, access key, and request elements.
Signature Calculation: The signature is calculated as HMAC-SHA256 of a string composed of:
- UTC timestamp (yyyyMMddHHmmss)
- Uppercase host
- Virtual host
- Query string (queue names)
Base64 Encoding: The resulting HMAC digest is base64-encoded and included in the authorization header:

Authorization: DirectGrant [username] [accessKey] [utcDate(yyyyMMddHHmmss)] [signature]

Note: Each time the client connects to RabbitMQ, the authentication signature must be recalculated to ensure the timestamp and signature are current and valid.

Authentication Example (Pseudocode)

// Pseudocode for HMAC-based RabbitMQ Authentication
function generate_authorization():
    utc_date = current_utc_time("yyyyMMddHHmmss")
    string_to_sign = utc_date + UPPERCASE(HOST) + VIRTUAL_HOST + "?q=" + QUEUE_NAMES
    signature = HMAC_SHA256(secret_key=SECRET_KEY, message=string_to_sign)
    signature_base64 = BASE64_ENCODE(signature)
    authorization = "DirectGrant " + USER + " " + ACCESS_KEY + " " + utc_date + " " + signature_base64
    return authorization

// On each connection attempt:
authorization = generate_authorization()
password = BASE64_ENCODE(authorization)
username = USER + "?q=" + QUEUE_NAMES

// Use 'username' and 'password' to authenticate with RabbitMQ

This pseudocode demonstrates the process of generating the required authentication values for RabbitMQ using HMAC.

Authentication Example (With Example Values)

// Example values
USER = "rabbitmquser"
ACCESS_KEY = "abc"
SECRET_KEY = "def"
VIRTUAL_HOST = "public"
QUEUE_NAMES = "WHATEVER-Tenant-Listener|Whatever2-Tenant-Listener"
HOST = "publicapi.nt.cloud.bewotec.de"
UTC_DATE = "20260106123045" // Example: 6 Jan 2026, 12:30:45 UTC

// String to sign
STRING_TO_SIGN = "20260106123045PUBLICAPI.NT.CLOUD.BEWOTEC.DEpublic?q=WHATEVER-Tenant-Listener|Whatever2-Tenant-Listener"

// HMAC-SHA256 signature (base64-encoded, using SECRET_KEY)
SIGNATURE = "Qk9n1Q8Qw1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q==" // Example only

// Authorization header
AUTHORIZATION = "DirectGrant rabbitmquser abc 20260106123045 Qk9n1Q8Qw1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q2k1Q=="

// Password for RabbitMQ (base64-encoded authorization)
PASSWORD = "RGlyZWN0R3JhbnQgcmFiYml0bXF1c2VyIGFiYyAyMDI2MDEwNjEyMzA0NSBRazluMVE4UXcxUTJrMVEyazFRMmsxUTJrMVEyazFRMmsxUTJrMVEyazFRMmsxUTJrMVEyazFRMmsxUTJrMVEyazFRMmsxUTJrMVEyazFRPT0="

// Username for RabbitMQ
USERNAME = "rabbitmquser?q=WHATEVER-Tenant-Listener|Whatever2-Tenant-Listener"

This example shows concrete values for each step of the authentication process. The signature and password values are for illustration only.

Usage in RabbitMQ

The authorization header is used as the password for RabbitMQ authentication.
The username includes the queue names as a query parameter.
Multiple queues are supported, and the code retries the connection if authentication fails.

Security Features

Protects data in transit and prevents tampering, as the server recalculates and verifies the signature.
Signature validity is time-based, reducing the risk of replay attacks.

Code Excerpt

authorization = get_authorization()
base64_encoded_password = base64.b64encode(authorization.encode())
queue_names = QUEUE_NAMES.split("|")
username = USER + "?q=" + QUEUE_NAMES