Zulfiqar's weblog

Architecture, security & random .Net

WIF based OAuth WRAP Issuer

Posted by zamd on August 13, 2010

WIF provides an API to develop Security Token Services (STSs) which can then be exposed using either WS-Trust (Active-STS) or WS-Federation(Passive-STS) protocols. As mentioned in last post, WIF currently doesn’t support OAuth WRAP protocol so out of box a WIF based SecurityTokenService cannot be used as an OAuth WRAP issuer. In this post, I’ll show you some extensions I have created to expose a service, based on WIF’s token issuance object model (SecurityTokenService, RequestSecurityTokenRequest etc), as an OAuth WRAP issuer.

1: Create an issuer using the standard WIF approach. The only difference is that I’m using a symmetric key for signatures.

public class OAuthIssuer : SecurityTokenService


    public OAuthIssuer(SecurityTokenServiceConfiguration config):base(config){}


    protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)


        return new ClaimsIdentity(new Claim[] {


            new Claim(ClaimTypes.Name, "John"),

            new Claim("email", "John@test.com") });



    protected override Scope GetScope(IClaimsPrincipal principal,

        RequestSecurityToken request)


        var scope =  new Scope


            AppliesToAddress = request.AppliesTo.Uri.AbsoluteUri



        scope.TokenEncryptionRequired = false;

        scope.SymmetricKeyEncryptionRequired = false;

        scope.SigningCredentials = new SymmetricSigningCredentials("Sapm9PPZZHlo=");

        return scope;



2: Host the issuer using following code:

var config = new OAuthIssuerConfiguration()


    SecurityTokenService = typeof(OAuthIssuer)


config.TokenIssuerName = "MyCustomIssuer";


config.SecurityTokenHandlers.AddOrReplace(new CustomUserNameSecurityTokenHandler


    UserNamePasswordValidator = (uid, pwd) =>


        Console.WriteLine(uid + " validated.");




var sh = new OAuthServiceHost(config, new Uri("http://localhost:9111"));


That’s it, A WIF based OAuth WRAP issuer is ready.

OAuthServiceHost inherits from WCF WebServiceHost and exposes a fixed OAuth WRAP contract to the outside world.

public class OAuthServiceHost : WebServiceHost


    internal OAuthIssuerConfiguration Configuration { get; set; }


    public OAuthServiceHost(OAuthIssuerConfiguration config)

        : this(config, null) { }


    public OAuthServiceHost(OAuthIssuerConfiguration config, Uri baseAddress)

        : base(typeof(OAuthIssuerContract), baseAddress)


        this.Configuration = config;



The implementation of OAuth WRAP contract transforms the incoming token issuance request into WIF’s token issuance object model (RequestSecurityTokenRequest etc) and starts the token issuance pipeline. At the end of the pipeline, it packages the final set of claim in a  Simple Web Token and returns it back.

Source code

6 Responses to “WIF based OAuth WRAP Issuer”

  1. Ravi said

    I wanted to ask if this a proper example for WCF REST in .NET Framework 4.0? and what is this WIF?

    • zamd said

      The interceptor feature used from the starter kit is unfortunatley not available in .Net 4.0.
      From wikipedia:
      Windows Identity Foundation (WIF) is a Microsoft technology that offers APIs for ASP.NET and WCF developers that can be used to build claims-aware and federation capable applications.

      • Ravi said

        Thanks Zulfiqar, but do you know how can I implement Authentication/ Authorization in WCF REST 4.0?

        Best Regards,

  2. Michael. said

    Your code sample has a project called Microsoft.IdentityModel.OAuth. Where did this come from???

    • zamd said

      It’s my custom project and should be part of the .zip file.

      • Michael. said

        It’s a little confusing that it has a Microsoft.IdentitModel.* namespace but it’s not a Microsoft project…Would you consider renaming it an including a license file so others can use it in their projects?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: