Secure WebAPI with a JWT

Question

I'm trying to write a mobile application that will get data from a webapi rest based site.

The site should be secured via ACS (as there can be multiple identity providers).

My mobile app is currently querying the following url https://xx.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://xx.azurewebsites.net/&version=1.0 to get a list of IPs.

I then allow the user to choose an IP, and then using a web browser control I show them a login.

Once the user has logged in I capture the response and extract the token, but now I'm not really sure what I should be doing. The token looks like this:-

{"appliesTo":"http://****.azurewebsites.net/",
"context":null,
"created":1362069383,
"expires":1362072983,
"securityToken":"... a lot of text:-)",
"tokenType":"urn:ietf:params:oauth:token-type:jwt"}

So, I'm guessing I should take the securityToken part and add it has part of the Authorization header to the get request?

Question 1 is how should I attach the token - do I just attach the security token bit, or do I have to base 64 encode the lot and again attach it as an Authorization header?

Question 2 How do I configure the webapi to handle a JWT? After I have modified ACS to issue JWT tokens, and I installed the JWTSecurityTokenHandler I still get the following error (this is with passive authentication):

 JWT10310: Unable to validate signature. validationParameters.SigningTokenResolver type: 'System.IdentityModel.Tokens.IssuerTokenResolver', was unable to resolve key to a token.
 The SecurityKeyIdentifier is: 
 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = X509ThumbprintKeyIdentifierClause(Hash =  0x2FEE3EE96B019D4BA0C046124B77C652EEF768E5)
    )
 '. validationParameters.SigningToken was null.

Thanks

Ross

Answer 1

Though you aren't using the Azure Authentication Library, this AAL code sample is helpful in showing how to use the new JWT Token Handler to authenticate requests to a Web API using an HTTP Message Handler in the request pipeline. The code explicitly handles JWTs issued by ACS. In particular, look at the TokenValidationHandler class in Global.asax.cs. The flow goes like this:

1. Incoming request from client app is inspected by message handler.
2. Authorization header is examined and validated using JWTTokenHandler.
3. If the JWT token is valid, JWTTokenHandler instantiates a new ClaimsPrincipal object. If the token isn't valid, an HTTP 401 Unauthorized response is returned.

Coming back to your first question, you just need the "securityToken" value (something like eyJ0eXAiOiJK...) to make an authorization header like Authorization: Bearer eyJ0eXAiOiJK.... When this is passed in a request to your Web API, the JWTTokenHandler will validate it via the Message Handler. Of course this assumes that your Web API has been configured properly to be aware of the ACS tenant and security domain you used to get the token from ACS in the first place.

Edit: Take a look at the patterns & practices guidance on securing REST services and accessing them from a mobile app - very similar scenario that might help give you more context.

• Accessing REST Services from a Windows Phone Device
• Securing REST Services