I am looking at developing an application that exposes services using REST. These services will be accessed via browser and non-browser clients. I expect that there will be a number of installations of this software that are owned and managed by different groups. I want to enable users from one system to access services on another. They will not share the same identity store. I would like it if a user could authenticate to their instance and then use a token to make requests to their instance and remote instances. This seems like a good use for JSON Web Tokens (JWT). Each system would need to be configured to trust each others tokens which are signed by certificates.
I have read that this can be done using OAuth with JWT Bearer tokens, but that seems like more overhead than is needed. Why exchange the bearer token for an access token instead of just using the bearer tokens? I question whether OAuth is a good fit regardless because it’s not controlling whether the system can access the user’s data else where like many of the examples on the web, but whether the user has access to the data stored within the system.
The next part of the problem is determining how to create these JWT tokens, it seems like something like a WS-Trust STS would be appropriate. I have not seen any that are simple and just authenticate users and return tokens. Potentially it could be useful to also have support for extending the expiration of a token and validation of tokens?
In the past I was able to enable this type of capability using SOAP with WS-Security and SAML Assertions. I want to see if the same can be accomplished using REST and JWT tokens. There are many posts on the web advising against rolling your own security framework, so I’ve been a bit hesitant to press forward. I saw that Microsoft has added handlers to take care of the protection of services using JWT tokens, so it seems that they see some value in this approach.
Does anyone have insight on ways to accomplish this sort of identity federation for REST services in a standards compliant and simple way?
Yes, that is the approach I recommend to my customers. In fact, JWT is how Windows Azure Mobile Services secures its endpoints. JWT are relatively simple to handle (compared to SAML tokens for example), but retain interesting properties compared to access_tokens
(like having a signature).
This doc shows an example on how to do it with WebApi and our product (if you are using MS technologies). The principles are generic though, and you could apply regardless of whether you use our STS or not.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With