In regards to Shopify for API usage, we are using HMAC integrity checks. We have made this group aware that HMAC is NOT Authentication
When is mentions authenticity, that means the authenticity of the payload of a message not the authenticating of the users. To add more security to external APIs, Is there any other support from Shopify apart from HMAC. My organization is in the financial domain and does not allow HAMC authentication alone as security. Looking forward to see any other options apart from HAMC like whitelisting source IPs/ Oauth2
This is right now a roadblock to integrating with Shopify. Please provide support on this topic
Where is the HMAC authentication coming into play? Are you looking at receiving webhooks or is this a payment processing integration? If it's the former, then perhaps you could perform a polling query on a regular basis. That way your side would be the initiator, and you would have more control over the API request/response process. While this is clunkier than the webhooks automatically informing you of any event, it does lessen the security implications to a degree.
I'm not quite sure how you are using the API, but in our case we use Oauth2 from Shopify (to generate user based access tokens).
These are unrelated concerns as you mentioned, HMAC ensures that the message that is generated by Shopify has the same content (hashing the content with a private key) as when it arrives to your application. It has nothing to do with user-based authentication.
In our case we register our application with each user shop (this is an Oauth2 flow) where we request permission, retrieve a code, then post this code to Shopify to retrieve a token (which is later the only token that can be used by our application to interact with the user data...)
This is a sales channel flow, I'm not sure which flow you are using but this is 100% oAuth based authentication... https://shopify.dev/tutorials/authenticate-with-oauth
So @digital11 , how are you working with these HMAC signatures? If it's on the receiving end of a webhook then there's only so much control you have over them. I know you can customize to a degree which record fields are being passed along with the webhook request you're seeing. But other than the HMAC signature I'm not sure of any other authentication/authorization/validation mechanism is available. Part of the HMAC validation is based on a specific API secret that's used to create the hash. So if that API secret is associated with a specific Shopify API "user" then you can deduce that this is the user who initiated the webhook request.