Stormpath's custom scheme is very similar to Amazon's.
But per the blog article, you'd only want to do this if you are willing to support client libraries/sdks that implement it as well. No one wants to spend the time to implement non-standard custom HMAC algorithms.
Totally agree. The key here is that you're doing the work to implement the algorithms, not your customers. If they had to do it, they probably just wouldn't use it.
Thanks for the pointer, I was looking for a sane explanation of the Amazon security and signature algorithm.
I have to disagree with the other comments here regarding the client library. I think that given the precedence of Amazon API, given that people understand how to sign APIs like amazon, this method will be accepted even without a client library.
Being a Java / Scala dev, I prefer that an API provider allow me to select the HTTP client libraries to use and prevent from forcing me to use a specific library & version via SDK transitive dependencies.
What I mean by Amazon like securtiy is described in this article http://www.thebuzzmedia.com/designing-a-secure-rest-api-with...