Katana has pretty straightforward extensibility for adding support for token formats. It ships with built-in support for JWT (consuming) and their internal token format (consuming & producing).
By implementing ISecureDataFormat, you can add your own. The following class is a bridge from Katana to WIF’s security token handler:
public class WifTokenFormat : ISecureDataFormat<AuthenticationTicket>
{
SecurityTokenHandler _handler;
public WifTokenFormat(SecurityTokenHandler handler)
{
_handler = handler;
}
public string Protect(AuthenticationTicket data)
{
throw new NotSupportedException();
}
public AuthenticationTicket Unprotect(string protectedText)
{
if (string.IsNullOrWhiteSpace(protectedText))
{
throw new ArgumentNullException(“protectedText”);
}
var token = _handler.ReadToken(protectedText);
var identity = _handler.ValidateToken(token);
return new AuthenticationTicket(
identity.First(),
new AuthenticationProperties());
}
}
You can then use the token format class with Katana’s built-in OAuth2 bearer authentication middleware like:
public static IAppBuilder UseTokenHandlerAuthentication(this IAppBuilder app, SecurityTokenHandler handler)
{
var options = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new WifTokenFormat(handler)
};
app.UseOAuthBearerAuthentication(options);
return app;
}
And since WIF supports SAML 1.1 and SAML 2 out of the box – and with a little syntactic sugar you end up here:
public class Startup
{
public void Configuration(IAppBuilder app)
{
//app.UseSaml11BearerAuthentication(
// audience: new Uri(“urn:testrp”),
// issuerThumbprint: “973…5F8”,
// issuerName: “sts”);
app.UseSaml2BearerAuthentication(
audience: new Uri(“urn:testrp”),
issuerThumbprint: “973…5F8”,
issuerName: “sts”);
app.UseWebApi(WebApiConfig.Register());
}
}
Which is a Web API that supports SAML 2 (or SAML 1.1) tokens. Of course any other WIF token handler that supports stringified tokens – and also any other OWIN/Katana compatible framework would work as well. QED.
Sample is here.
leastprivilege.com 