IdentityServer: Using WS-Federation with JWT Tokens

WS-Federation is token agnostic – that means you can also use JWT tokens instead of the default SAML ones.

Why would you want to do that? Well – JWT’s a slightly more compact which I think is irrelevant for WS-Federation (the token is only transmitted once, then exchanged with a cookie). But maybe you want to do something like Vittorio’s “Poor man’s Delegation/ActAs” where you want to forward the JWT token to a Web API.

Are there downsides? JWTs don’t embed the public key used for signature validation. That means you need to deploy those keys to the Trusted People folder on the target machine (as opposed to just checking for a issuer thumbprint match with SAML). That’s something to consider.

How does it work? In IdentityServer we currently don’t support specifying the token type per relying party (we are working on that) – but you can globally set the token type in general configuration:


Just copy the value from Default HTTP Token to Default WS* Token.

Here’s a relying party sample that works with JWT. What’s different to the same RP with SAML? Not much – I only registered the JWT handler in identityModel.config – that’s the beauty of WIF…

This entry was posted in ASP.NET, IdentityModel, IdentityServer. Bookmark the permalink.

8 Responses to IdentityServer: Using WS-Federation with JWT Tokens

  1. Prasad says:

    Can we achieve this using MVC application as relying party

  2. To what web app type does the sample point to? ;)

  3. Pingback: IdentityServer: Using WS-Federation with JWT Tokens (and symmetric Signatures) |

  4. Yumei says:

    Can I set Identity Server issue both SMAL token and JWT token simultaneously? If so, how can I ask IdSrv issue a JWT token from web app programmatically?

    • WS-Fed does not have the capability to ask for a specific token type. In that case either the global token type – or the one configured for the RP will be used.
      WS-Trust in contrast has that features.

  5. Per Erik Gransøe says:

    Can the MVC relying party extract the encryptet JWT? I need it to pass on to a WCF rest service (also relying party) as a valid token in a bearer http header.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s