Authentication with OWIN and WsFederation for MVC, web api and signalR apps

Question

For my company, I have to make a POC to check if we can use wsFederation authentication for our project, which has a MVC app, some webapi controllers, and some signalR hubs, all in differents projects. We'd also like to use the OWIN authentication middleware in both the client apps and the Identity provider app.

I use Thinktecture Identity Server v2 as the Identity provider for a start (but we'll have to develop ou own at some point). For the MVC app, it's pretty straight forward and it works fine, using a SAML2 token.

But now things get a bit more complicated as I'd like an authenticated user on the web app to be able to call a controller method from the web api app (which is different of the MVC one, remember), using ajax calls.

I've read many things about delegating and actAs tokens, but I'm a bit lost and don't where or how to start this part. Also, i can't find anything about delegation using OWIN authentication.

So my first question is : is it possible to achieve this ? And then : could someone point me in the right direction?

Answer 1

I followed Vittorio Bertocci's instructions when I was working on it.

http://www.cloudidentity.com/blog/2013/01/09/using-the-jwt-handler-for-implementing-poor-man-s-delegation-actas/

A couple of notes about it, where it says JWTSecurityTokenHandler, it is now JwtSecurityTokenHandler. It is a small typo, but it is a good way to loose 15 minutes if you are not aware of it.

I was also not able to use the X509 FindByThumbprint section either. I think that I did not have my local certificate registered properly. Once I am at work tomorrow I will post what I had to change in order to get it to work.

Dominick Baier (http://leastprivilege.com/) also does a course on pluralsight called WebApi v2 Security that does a great job talking about how to inject into the security pipeline and setting up the web api project to handle this.

As another option, you could replace the TokenValidationHandler class that Vittorio uses with the Microsoft.Owin.Security.Jwt package and implement the following code in the Startup.cs file.

app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { ConfigurationSettings.AppSettings["ida:Realm"] },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] 
                    { 
                        new SymmetricKeyIssuerSecurityTokenProvider(
                            ConfigurationSettings.AppSettings["ida:ValidIssuer"],
                            ConfigurationSettings.AppSettings["ida:SymmetricKey"])
                    },
                Provider = new OAuthBearerAuthenticationProvider
                {
                    OnValidateIdentity = context =>
                    {
                        var identity = context.Ticket.Identity;
                        return System.Threading.Tasks.Task.FromResult<object>(null);
                    }
                }
            });