In this post I described how to use IdentityServer to do WS-Federation with JWT tokens. In that post I used the default IdSrv signing certificate to sign the outgoing JWT tokens.
There are scenarios where you don’t have certificates but want to use shared secret based signatures instead. This can be done with the following steps (be sure to read my other post first).
1 Set a symmetric signature for the RP in IdSrv
2 Add a issuer token resolver to the RP
The RP must somehow be able to retrieve the signing key – for that we need an issuer token resolver. Here you map the signing key to the issuer name. The IdSrv issuer name can be found under Site ID in general config.
<issuerTokenResolver
type=“System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver, … “>
<securityKey symmetricKey=“DiZsT…o=“
name=“http://identityserver.v2.thinktecture.com/samples“ />
</issuerTokenResolver>
3 Add an entry to the issuer name registry
The last step is to map the signing key to the local issuer name. The new ValidatingIssuerNameRegistry allows to map both thumbprints (for certificate based signatures) and symmetric keys:
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, … ">
<authority name="http://identityserver.v2.thinktecture.com/samples">
<keys>
<add thumbprint="967…e34" />
<add symmetricKey="Di…no=" />
</keys>
<validIssuers>
<add name="http://identityserver.v2.thinktecture.com/samples" />
</validIssuers>
</authority>
</issuerNameRegistry>
The full sample can be found here.
Will this work with a WCF RP?
It should. But haven’t tried it.
Awesome work.
Was just gonna cry about not being able to get token encryption working with this passive redirect…but I found the problem and it works now.
So i guess instead of asking all I can say is AWESOME WORK again :)
Getting the following exception when tried to run `MVC and Web API (JWT)` sample
Jwt10332: Audience validation failed. jwt.Audience
Well – that means that something is wrong with the audience ;)
Missing last slash problem.
Thank you . that was it for me. the wsFederation realm didn’t have a / .. put one in and that worked!