IdentityServer: Using WS-Federation with JWT Tokens

Posted on July 4, 2013 by Dominick Baier

WS-Federation is token agnostic – that means you can also use JWT tokens instead of the default SAML ones.

Why would you want to do that? Well – JWT’s a slightly more compact which I think is irrelevant for WS-Federation (the token is only transmitted once, then exchanged with a cookie). But maybe you want to do something like Vittorio’s “Poor man’s Delegation/ActAs” where you want to forward the JWT token to a Web API.

Are there downsides? JWTs don’t embed the public key used for signature validation. That means you need to deploy those keys to the Trusted People folder on the target machine (as opposed to just checking for a issuer thumbprint match with SAML). That’s something to consider.

How does it work? In IdentityServer we currently don’t support specifying the token type per relying party (we are working on that) – but you can globally set the token type in general configuration:

image

Just copy the value from Default HTTP Token to Default WS* Token.

Here’s a relying party sample that works with JWT. What’s different to the same RP with SAML? Not much – I only registered the JWT handler in identityModel.config – that’s the beauty of WIF…

This entry was posted in ASP.NET, IdentityModel, IdentityServer. Bookmark the permalink.

8 Responses to IdentityServer: Using WS-Federation with JWT Tokens

  1. Prasad says:
    July 4, 2013 at 09:51

    Can we achieve this using MVC application as relying party

    Reply
  2. Dominick Baier says:
    July 4, 2013 at 09:55

    To what web app type does the sample point to? ;)

    Reply

  3. Pingback: IdentityServer: Using WS-Federation with JWT Tokens (and symmetric Signatures) | www.leastprivilege.com

  4. Yumei says:
    July 25, 2013 at 21:17

    Can I set Identity Server issue both SMAL token and JWT token simultaneously? If so, how can I ask IdSrv issue a JWT token from web app programmatically?

    Reply
    • Dominick Baier says:
      July 25, 2013 at 23:54

      WS-Fed does not have the capability to ask for a specific token type. In that case either the global token type – or the one configured for the RP will be used.
      WS-Trust in contrast has that features.

      Reply
  5. Per Erik Gransøe says:
    November 20, 2013 at 09:24

    Can the MVC relying party extract the encryptet JWT? I need it to pass on to a WCF rest service (also relying party) as a valid token in a bearer http header.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s