Integrating a credential into the whole WIF / .NET 4.5 token and claims ecosystem is “easy” – in the sense of you only have to write a SecurityToken and SecurityTokenHandler implementation.
While this is not really hard, it is not for everyone. Especially when you want to do simple things like just validating an access key on a querystring / header, this seems a bit like overkill. Until now.
Thinktecture.IdentityModel45 contains two classes to make that easier: SimpleSecurityToken and SimpleSecurityTokenHandler. The security token is a very thin wrapper around an arbitrary string-based token. The handler contains all the boiler-plate code to be a real token handler – and all you have to do is to provide the validation logic. You can e.g. setup a handler like this:
var handler = new SimpleSecurityTokenHandler(“my access key”, token =>
if (ObfuscatingComparer.IsEqual(token, “accesskey123”))
return new ClaimsIdentity(new Claim
new Claim(“customerid”, “123”)
In the lambda expression above, you provide the validation code. If the validation succeeds, you return a ClaimsIdentity, otherwise null (or thrown an exception).
With the handler in place, you can e.g. wire up validation for your access key in ASP.NET Web API. The following code associates the handler with a query string called key – the value of that query string param will be passed to the above validation function:
And that’s it, when a request like this:
comes in, your service code will now see a ClaimsPrincipal containing the identity that you provided as a result from your validation.