Hawk Autentication considered harmful.
Uses the used hostname and port as part of the signed string
The only case where this would actually be relevant, is if there’s two endpoints with identical urls, and re-uses the same keys and secrets, and a identical request on the same url would be unwanted.
The drawback is that many service don’t know what url was originally being used by a client, due to the use of reverse proxies.
Now we’re forced to create a mechanism where the reverse proxy sends the original host header to the client.
Could have built upon Digest auth
Digest has a lot of good things going for it, and has a great deal of overlap in features.
Hawks strengths here are that it uses a stronger hash algorithm (hmac-sha256) and unlike Digest, it there’s no need for pre-flighted requests to discover the service nonce. The latter is also the author’s main concern with using Digest instead, as stated in the FAQ.
An answer to that would have been rather simple though. Any server could simply hardcode and document their server-side nonce, rendering the initial negotiation optional, but still possible.
Furthermore, digest can be easily extended with new algoritms.
What to use instead?
- They are tried and tested for many years.
- Not a moving target.
- Easier to implement.
- Have lots of sample implementations.
That being said, I will probably still add support to an upcoming version of sabre/http.