This is continuation of my earlier post on implementing Hawk authentication for ASP.NET Web API using Thinktecture.IdentityModel.45.
One of the primary design goals of the Hawk scheme is to “simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources”. It is highly recommended to use TLS (HTTPS) even with Hawk but the design goal of Hawk is to ensure the working of the scheme in the absence of HTTPS as well. I covered the basics of Hawk and how the request payload can be protected by Hawk. In the absence of TLS, a man-in-the-middle (MITM) can tamper with the web API response even if the request is protected. One of the key aspects related to preventing the responses getting tampered is the response payload verification and it works like this.
View original post 552 more words