WS-Federation is token agnostic – that means you can also use JWT tokens instead of the default SAML ones.
Why would you want to do that? Well – JWT’s a slightly more compact which I think is irrelevant for WS-Federation (the token is only transmitted once, then exchanged with a cookie). But maybe you want to do something like Vittorio’s “Poor man’s Delegation/ActAs” where you want to forward the JWT token to a Web API.
Are there downsides? JWTs don’t embed the public key used for signature validation. That means you need to deploy those keys to the Trusted People folder on the target machine (as opposed to just checking for a issuer thumbprint match with SAML). That’s something to consider.
How does it work? In IdentityServer we currently don’t support specifying the token type per relying party (we are working on that) – but you can globally set the token type in general configuration:
Just copy the value from Default HTTP Token to Default WS* Token.
Here’s a relying party sample that works with JWT. What’s different to the same RP with SAML? Not much – I only registered the JWT handler in identityModel.config – that’s the beauty of WIF…
Can we achieve this using MVC application as relying party
To what web app type does the sample point to? ;)
Pingback: IdentityServer: Using WS-Federation with JWT Tokens (and symmetric Signatures) | www.leastprivilege.com
Can I set Identity Server issue both SMAL token and JWT token simultaneously? If so, how can I ask IdSrv issue a JWT token from web app programmatically?
WS-Fed does not have the capability to ask for a specific token type. In that case either the global token type – or the one configured for the RP will be used.
WS-Trust in contrast has that features.
Can the MVC relying party extract the encryptet JWT? I need it to pass on to a WCF rest service (also relying party) as a valid token in a bearer http header.
Have a look here
Thanks. Exactly what I was looking for. BootstrapContext is my friend :).