The simplest SecurityToken / Handler you can write

Integrating a credential into the whole WIF / .NET 4.5 token and claims ecosystem is “easy” – in the sense of you only have to write a SecurityToken and SecurityTokenHandler implementation.

While this is not really hard, it is not for everyone. Especially when you want to do simple things like just validating an access key on a querystring / header, this seems a bit like overkill. Until now.

Thinktecture.IdentityModel45 contains two classes to make that easier: SimpleSecurityToken and SimpleSecurityTokenHandler. The security token is a very thin wrapper around an arbitrary string-based token. The handler contains all the boiler-plate code to be a real token handler – and all you have to do is to provide the validation logic. You can e.g. setup a handler like this:

var handler = new SimpleSecurityTokenHandler(“my access key”, token =>


        if (ObfuscatingComparer.IsEqual(token, “accesskey123”))


            return new ClaimsIdentity(new Claim[]


                    new Claim(“customerid”, “123”)

                }, “Custom”);



        return null;


In the lambda expression above, you provide the validation code. If the validation succeeds, you return a ClaimsIdentity, otherwise null (or thrown an exception).

With the handler in place, you can e.g. wire up validation for your access key in ASP.NET Web API. The following code associates the handler with a query string called key – the value of that query string param will be passed to the above validation function:

config.AddAccessKey(handler, AuthenticationOptions.ForQueryString(“key”));


And that’s it, when a request like this:

comes in, your service code will now see a ClaimsPrincipal containing the identity that you provided as a result from your validation.

This entry was posted in IdentityModel, WebAPI. Bookmark the permalink.

7 Responses to The simplest SecurityToken / Handler you can write

  1. Syd says:

    Thanks for the article. Is it possible to retrieve the newly created claim or access key accesskey123 inside a web api controller so it can be used globally in any functions?

  2. Syd says:

    Thank you. Your Thinktechture.IdentiyModel.45-master project has great samples

  3. RonyK says:

    Thanks for the article. Just wanted to save some precious hours and a little headache to future users of this example: As the example shows, make sure you use a ClaimsIdentity constructor that initializes the authenticationtype property, otherwise (for a reason I can’t see – a bug maybe?) the ClaimsIdentity.IsAuthenticated property will always return FALSE.

  4. Jaymie says:

    Hi Dominic,
    How would you set this up in .Net 4? I seem to get an error stating that Cannot implicitly convert type ‘Microsoft.IdentityModel.Claims.ClaimsIdentity’ to ‘Microsoft.IdentityModel.Claims.ClaimsPrincipal’ not to mention that AddAccessKey is not part of the HttpConfiguration

  5. Scott says:

    How would you use this method to pass a Key and Password token together?

    For example:

Leave a Reply to Jaymie Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s