Zulfiqar's weblog

Architecture, security & random .Net

Using Simple Web Token (SWT) with WIF

Posted by zamd on February 8, 2011

SAML 1.1/SAML 2.0 is the default token format when using ACS as the authentication service for your website. In this model, your website talks to ACS using WS-Federation protocol and what it normally gets back is a Saml token. This scenarios is fairly straight-forward as WIF natively supports WS-Federation protocol & SAML1.1/SAML 2.0 token formats.

There are cases where you might want to return a Simple Web Tokens (SWT) after a successful authentication. For example, you might want to use this same SWT (available as a bootstrap token) to call other downstream REST/OData services as depicted in the following diagram.


ACS fully supports returning an SWT token after a successfully WS-Fed authentication but WIF currently doesn’t support SWT tokens. You would have to write a custom Security Token Handler for WIF to process SWT tokens coming back to your website. I have created some extensions which enables this and other OAuth WRAP related scenarios. Feel free to download the code from my SkyDrive.

13 Responses to “Using Simple Web Token (SWT) with WIF”

  1. David Peden said

    Hey Ahmed, thanks for publishing this code. I have three questions for you.

    1. I also just stumbled upon your NuGet package SWT Token Support for WIF/ACS – Do you guys intend to update to ACS 2.0?

    2. Have you guys seen Windows Identity Foundation Extension for OAuth CTP Version 1-3 (http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=32719)?

    3. Do you guys intend to put out a package for JWT support?

    I would love to hear your thoughts. Thanks!

  2. David Peden said

    Update, acs.codeplex.com actually links to Windows Identity Foundation Extension for OAuth CTP Version 1-4 for production (https://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=35417).

  3. […] found Daniel Cazzulino@Clarius has packaged some of my work in a reusable NuGet package. Pretty […]

  4. […] http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/ […]

  5. […] WIF SDK, in addition, provides web controls for federated sign in and sign in status (Look at this article in case you want WIF to work with SWT for web applications (passive […]

  6. Priya said

    Hi Zulfiqar,

    Thank you for the great article….it’s been very helpful. I do have a question for you regarding security token handlers. If I have a client that wants to use the REST endpoint, and wants to send me an API key as a credential (via header or query string), can I implement a custom token handler that will interpret the API Key in the header/query string as a token and authenticate accordingly? Would I need to map this token handler to a specific token type? Basically, I want to use WIF so that I can support SWT/oAuth at a later date, but to start with, I want to support just the API key. Wondering if I’d be able to add additional token handlers in this scenario as well.

    Thanks a ton for your time,

    • zamd said

      To be honest, I wouldn’t use token handler for this scenario as those are are closely related to SOAP. I would rather look into WCF Web API and would use a Message Handler for this. Inside the implementation of messge handler I might use WIF APIs if required.

      • Priya said

        Thanks for your inputs. You’re right, I could use a message handler and set ClaimsPrincipal,except then I am guessing I wouldn’t be able to leverage a common ClaimsAuthorizationManager etc..

  7. Riccardo said

    Hi Zamd,
    Nice blogpost. It helped me in realizing claims based authentication with OData. I used the DPE.OAuth project on the OData service. This project is needed to parse SWT tokens, since WIF does not have built-in support for that. You can find it here if you are interested: http://riccardocorradin.wordpress.com/2012/09/20/claims-based-authentication-with-odata-and-windows-azure-3/
    Any suggestions and/or comments are most welcome.

  8. […] http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/http://netfx.codeplex.com/ […]

  9. mark said

    Does this work on ASP.NET 4.5? Seems like wif.swt generates web.config entries that are for the older version of the WIF SDK not bundled with .NET 4.5…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: