I just released v3.3 of IdentityModel to Github and Nuget.

It includes the [Scope] attribute for Web API (here) and the clickjacking protection for MVC (here).

But the biggest addition is certainly a full featured implementation of the Hawk authentication scheme (spec).

Hawk is a shared secret authentication method where the actual secret is not transmitted on the wire. Instead the secret is used to sign parts of (or the full) HTTP request. The recipient can validate the signature and thus make sure the sender knows the secret key. It also has some replay and integrity protection features when using unsecured transports (though I personally would not recommend to using it as a replacement for SSL).

The implementation is a contribution by Badri from “Pro ASP.NET Web API Security” fame. You can find his intro blog post here and a sample here. Thanks, Badri!

Have fun!