Add support for configuring HTTP headers for timestamp authority requests from c2pa.toml.
The goal of this feature request is to make TSA integrations configurable without requiring a custom signer for common cases, while avoiding storage of secrets directly in TOML.
I recommend the following. I am also happy to follow up with a PR once we come to a common agreement on how to implement and document this:
The requirements I see for a common configuration is that it should support two classes of header values:
- Non-secret headers as literal values in TOML.
- Secret headers as references to environment variables.
This keeps the config file declarative and should allow authentication tokens and similar sensitive values to be injected at runtime.
I personally believe that the resulting PR should also provide documentation guidance to explicitely warn gaints providing secret values inline int the config TOML.
Here is the proposed extension to toml configuration (JSON will also be supported):
[signer]
tsa_url = "https://tsa.example.com"
[[signer.timestamp_headers]]
name = "X-Tenant"
value = "acme-prod"
[[signer.timestamp_headers]]
name = "Authorization"
from_env = "C2PA_TSA_AUTH_TOKEN"
format = "Bearer {value}"The schema semantics are as follows:
- name: HTTP header name.
- value: literal non-secret header value.
- from_env: name of an environment variable whose value will be used at runtime.
- format: optional template applied to the resolved value, for example Bearer {value}.
The expected behavior is:
- value should be used for static, non-sensitive headers.
- from_env should be used for secrets such as bearer tokens or API keys.
- format should allow common auth patterns without requiring users to include the full final header value in the environment variable.
Given:
[[signer.timestamp_headers]]
name = "Authorization"
from_env = "C2PA_TSA_AUTH_TOKEN"
format = "Bearer {value}"and:
export C2PA_TSA_AUTH_TOKEN=abc123
the resolved request header would be:
Authorization: Bearer abc123
Please let me know your thoughts on this :)
Add support for configuring HTTP headers for timestamp authority requests from c2pa.toml.
The goal of this feature request is to make TSA integrations configurable without requiring a custom signer for common cases, while avoiding storage of secrets directly in TOML.
I recommend the following. I am also happy to follow up with a PR once we come to a common agreement on how to implement and document this:
The requirements I see for a common configuration is that it should support two classes of header values:
This keeps the config file declarative and should allow authentication tokens and similar sensitive values to be injected at runtime.
I personally believe that the resulting PR should also provide documentation guidance to explicitely warn gaints providing secret values inline int the config TOML.
Here is the proposed extension to toml configuration (JSON will also be supported):
The schema semantics are as follows:
The expected behavior is:
Given:
and:
export C2PA_TSA_AUTH_TOKEN=abc123the resolved request header would be:
Authorization: Bearer abc123
Please let me know your thoughts on this :)