Email
Twitter
LinkedIn
FacebookUsing Simple Web Token (SWT) with WIF
Posted by zamd on February 8, 2011
SAML 1.1/SAML 2.0 is the default token format when using ACS as the authentication service for your website. In this model, your website talks to ACS using WS-Federation protocol and what it normally gets back is a Saml token. This scenarios is fairly straight-forward as WIF natively supports WS-Federation protocol & SAML1.1/SAML 2.0 token formats.
There are cases where you might want to return a Simple Web Tokens (SWT) after a successful authentication. For example, you might want to use this same SWT (available as a bootstrap token) to call other downstream REST/OData services as depicted in the following diagram.
ACS fully supports returning an SWT token after a successfully WS-Fed authentication but WIF currently doesn’t support SWT tokens. You would have to write a custom Security Token Handler for WIF to process SWT tokens coming back to your website. I have created some extensions which enables this and other OAuth WRAP related scenarios. Feel free to download the code from my SkyDrive.
David Peden said
Hey Ahmed, thanks for publishing this code. I have three questions for you.
1. I also just stumbled upon your NuGet package SWT Token Support for WIF/ACS – 1.1.1.48. Do you guys intend to update to ACS 2.0?
2. Have you guys seen Windows Identity Foundation Extension for OAuth CTP Version 1-3 (http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=32719)?
3. Do you guys intend to put out a package for JWT support?
I would love to hear your thoughts. Thanks!
David Peden said
Update, acs.codeplex.com actually links to Windows Identity Foundation Extension for OAuth CTP Version 1-4 for production (https://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=35417).
NuGet Package to enable SWT in WIF « Zulfiqar's weblog said
[...] found Daniel Cazzulino@Clarius has packaged some of my work in a reusable NuGet package. Pretty [...]
Buck Woody : Certification Notes: 70-583 Designing and Developing Windows Azure Applications said
[...] http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/ [...]
Demystifying Access Control Service « Niraj Bhatt – Architect's Blog said
[...] WIF SDK, in addition, provides web controls for federated sign in and sign in status (Look at this article in case you want WIF to work with SWT for web applications (passive [...]
Priya said
Hi Zulfiqar,
Thank you for the great article….it’s been very helpful. I do have a question for you regarding security token handlers. If I have a client that wants to use the REST endpoint, and wants to send me an API key as a credential (via header or query string), can I implement a custom token handler that will interpret the API Key in the header/query string as a token and authenticate accordingly? Would I need to map this token handler to a specific token type? Basically, I want to use WIF so that I can support SWT/oAuth at a later date, but to start with, I want to support just the API key. Wondering if I’d be able to add additional token handlers in this scenario as well.
Thanks a ton for your time,
Priya
zamd said
To be honest, I wouldn’t use token handler for this scenario as those are are closely related to SOAP. I would rather look into WCF Web API and would use a Message Handler for this. Inside the implementation of messge handler I might use WIF APIs if required.
Priya said
Thanks for your inputs. You’re right, I could use a message handler and set ClaimsPrincipal,except then I am guessing I wouldn’t be able to leverage a common ClaimsAuthorizationManager etc..