Integrating a credential into the whole WIF / .NET 4.5 token and claims ecosystem is “easy” – in the sense of you only have to write a SecurityToken and SecurityTokenHandler implementation.
While this is not really hard, it is not for everyone. Especially when you want to do simple things like just validating an access key on a querystring / header, this seems a bit like overkill. Until now.
Thinktecture.IdentityModel45 contains two classes to make that easier: SimpleSecurityToken and SimpleSecurityTokenHandler. The security token is a very thin wrapper around an arbitrary string-based token. The handler contains all the boiler-plate code to be a real token handler – and all you have to do is to provide the validation logic. You can e.g. setup a handler like this:
var handler = new SimpleSecurityTokenHandler(“my access key”, token =>
if (ObfuscatingComparer.IsEqual(token, “accesskey123”))
return new ClaimsIdentity(new Claim
new Claim(“customerid”, “123”)
In the lambda expression above, you provide the validation code. If the validation succeeds, you return a ClaimsIdentity, otherwise null (or thrown an exception).
With the handler in place, you can e.g. wire up validation for your access key in ASP.NET Web API. The following code associates the handler with a query string called key – the value of that query string param will be passed to the above validation function:
And that’s it, when a request like this:
comes in, your service code will now see a ClaimsPrincipal containing the identity that you provided as a result from your validation.
Thanks for the article. Is it possible to retrieve the newly created claim or access key accesskey123 inside a web api controller so it can be used globally in any functions?
Sure – everything that is part of the claims collection can be access using ClaimsPrincipal.Current.Claims.
Thank you. Your Thinktechture.IdentiyModel.45-master project has great samples
Thanks for the article. Just wanted to save some precious hours and a little headache to future users of this example: As the example shows, make sure you use a ClaimsIdentity constructor that initializes the authenticationtype property, otherwise (for a reason I can’t see – a bug maybe?) the ClaimsIdentity.IsAuthenticated property will always return FALSE.
How would you set this up in .Net 4? I seem to get an error stating that Cannot implicitly convert type ‘Microsoft.IdentityModel.Claims.ClaimsIdentity’ to ‘Microsoft.IdentityModel.Claims.ClaimsPrincipal’ not to mention that AddAccessKey is not part of the HttpConfiguration
please use the issue tracker
In general I’d recommend using .NET 4.5 since we actively maintain that version.
How would you use this method to pass a Key and Password token together?