Zulfiqar's weblog

Architecture, security & random .Net

Archive for August, 2010

WIF based OAuth WRAP Issuer

Posted by zamd on August 13, 2010

WIF provides an API to develop Security Token Services (STSs) which can then be exposed using either WS-Trust (Active-STS) or WS-Federation(Passive-STS) protocols. As mentioned in last post, WIF currently doesn’t support OAuth WRAP protocol so out of box a WIF based SecurityTokenService cannot be used as an OAuth WRAP issuer. In this post, I’ll show you some extensions I have created to expose a service, based on WIF’s token issuance object model (SecurityTokenService, RequestSecurityTokenRequest etc), as an OAuth WRAP issuer.

1: Create an issuer using the standard WIF approach. The only difference is that I’m using a symmetric key for signatures.

public class OAuthIssuer : SecurityTokenService


    public OAuthIssuer(SecurityTokenServiceConfiguration config):base(config){}


    protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)


        return new ClaimsIdentity(new Claim[] {


            new Claim(ClaimTypes.Name, "John"),

            new Claim("email", "John@test.com") });



    protected override Scope GetScope(IClaimsPrincipal principal,

        RequestSecurityToken request)


        var scope =  new Scope


            AppliesToAddress = request.AppliesTo.Uri.AbsoluteUri



        scope.TokenEncryptionRequired = false;

        scope.SymmetricKeyEncryptionRequired = false;

        scope.SigningCredentials = new SymmetricSigningCredentials("Sapm9PPZZHlo=");

        return scope;



2: Host the issuer using following code:

var config = new OAuthIssuerConfiguration()


    SecurityTokenService = typeof(OAuthIssuer)


config.TokenIssuerName = "MyCustomIssuer";


config.SecurityTokenHandlers.AddOrReplace(new CustomUserNameSecurityTokenHandler


    UserNamePasswordValidator = (uid, pwd) =>


        Console.WriteLine(uid + " validated.");




var sh = new OAuthServiceHost(config, new Uri("http://localhost:9111"));


That’s it, A WIF based OAuth WRAP issuer is ready.

OAuthServiceHost inherits from WCF WebServiceHost and exposes a fixed OAuth WRAP contract to the outside world.

public class OAuthServiceHost : WebServiceHost


    internal OAuthIssuerConfiguration Configuration { get; set; }


    public OAuthServiceHost(OAuthIssuerConfiguration config)

        : this(config, null) { }


    public OAuthServiceHost(OAuthIssuerConfiguration config, Uri baseAddress)

        : base(typeof(OAuthIssuerContract), baseAddress)


        this.Configuration = config;



The implementation of OAuth WRAP contract transforms the incoming token issuance request into WIF’s token issuance object model (RequestSecurityTokenRequest etc) and starts the token issuance pipeline. At the end of the pipeline, it packages the final set of claim in a  Simple Web Token and returns it back.

Source code

Posted in WIF | 6 Comments »