How to Authenticate Web API using OAuth 2.0

יום שלישי, אוקטובר 15, 2013

My friend Bnaya Eshet asked me about web api authentication so I decided to write a post about it… To authenticate a simple http request in a Web API service you have to send a token in the http authorization header. Theoretically you can send any type of token as long as the application can validate it and make sense out if it but practically you will send a JWT token. JWT (JSON Web Token) is a simple token format that becomes the leading token format for OAuth 2.0 providers. JWT token represent a set of claims...
one comment

Auth0 – An Exciting SSO Infrastructure

יום שני, ספטמבר 30, 2013

When we think about SSO we have to think about simplicity, multi-platform integration, deployment scenarios (cloud / on-premises) and standard compliance. Unfortunately Microsoft solutions (ADFS, WAAD, ACS) are focused on SAML 1.1 and assume that applications has the ability to parse and validate such tokens. (WAAD and ADFS has OAuth previews which are currently not stable, ACS can use WRAP OAuth which not relevant) This assumption is problematic in the mobile era. Web Platforms today do not include strong XML stacks that are required to handle SAML tokens and so applications and especially mobile applications cannot handle...
no comments

Bug in ADFS. OAuth access token can be requested in UTC time zone only

יום שני, ספטמבר 9, 2013

My friend Assaf Israel showed me a bug in the new ADFS version in Windows Server 2012 Preview. When calling ADFS endpoint /oauth/authorize to get an authorization token the server will call the method BeginAdd in the class Microsoft.IdentityServer.Server.ArtifactResolutionService.ArtifactService to creates an artifact with an authorization token and store it in the database. The server will set the expiration date to be UTC time + 5 min. if (DateTime.Compare(artifact.Expire,DateTime.MinValue) == 0) artifact.Expire = DateTime.UtcNow.AddSeconds((double).artifactService.LifetimeInSeconds); When calling /oauth/authorize to get an...
3 comments

Active Federation with ADFS 2.0 in C#

יום שלישי, אוגוסט 27, 2013

A customer asked me how to establish active federation in C# with two ADFS servers. The scenario is simple: - One ADFS acts as an STS (it authenticate the client) - The  Second ADFS acts as an R-STS and provides a token to the RP (application) using the token created   by the first STS. The code is simple and is based on .Net 4.5 WIF System.IdentityModel In the first step the client authenticate to the STS and get a SAML token:...
tags: , ,
no comments

Passive Federation Client

יום שני, יוני 3, 2013

As we all know it is simple to call a federated web site authenticated by AD FS 2.0 or any other identity provider using passive federation. The client is a browser that knows nothing about federation. All the browser knows is to send http requests and to submit html forms. It would be interesting to write a small library that will mimic the browser behavior and allow applications to call web sites using passive federation. such web sites can implement RESTful web services or any other http based API. Currently applications use ACTIVE federation which means they have...
no comments

How to Analyze SAML Traffic

יום ראשון, יוני 2, 2013

To learn and debug ADFS 2.0 and the SAML protocol it is important to look at the traffic running between the client, STS and the RP (web application). When using AD FS 2.0 the traffic must be sent on a secure channel (SSL), Fortunately Fiddler can decrypt the content and present the actual traffic on the wire yet when activating fiddler and with SSL decryption (as shown here) you will be continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box.   ...
tags: , ,
one comment

The Identity and Access tool was updated

יום שלישי, מאי 7, 2013

I worked on a customer machine and used the identity and access tool to enable Identity Federation. When I looked at the config that was produced by the tool I saw something strange. Instead of the good old configuration: <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <trustedIssuers> <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" /> </trustedIssuers> </issuerNameRegistry> The tool produced the following: <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, ...
tags: ,
3 comments

My Talk in the SDP 2013

יום שני, מאי 6, 2013

Today I spoke about web identities and about Azure data sync. In the web identities talk I spoke about the identity concept and about the open ID, SAML and OAuth standards. In the Azure data sync talk I spoke about the value of sync, the Microsoft synchronization framework (MSF) and the Azure data sync service (which is based on MSF) Tomorrow I will speak about cryptography in .Net and explore different types of encryption algorithms and signing APIs. You can find the slide deck here: Web Idenytities ...
one comment

Discover Identity Providers from ACS

יום רביעי, ספטמבר 19, 2012

A customer asked me how to dynamically discover the identity providers of a certain namespace in ACS. The request is simple: Let’s assume we have an application (RP) in http:\\localhost\myApp If will send the following request to acs: https://xxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2flocalhost%2fmyapp%2f&version=1.0 we will get the following json in the response },  {"Name":"Google","LoginUrl":"https://www.google.com/accounts/o8/ud?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QmcHJvdmlkZXI9R29vZ2xl0&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"","ImageUrl":"","EmailAddressSuffixes":},{"Name":"Yahoo!","LoginUrl":"https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QmcHJvdmlkZXI9WWFob28h0&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"","ImageUrl":"","EmailAddressSuffixes":}] Now we can use (http get) the LoginUrl of each provider which will send us directly to its login page. If we call ACS with: https://xxx.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%2fmyapp%2f We will get the good...
tags: ,
4 comments

Fiddler Disables Windows 8 WebAuthenticationBroker

I was trying to write a small sample which uses WebAuthenticationBroker to get a token from ACS and use it in a REST call to a web service. I followed the API but nothing worked. Not a single socket was opened. Then I noticed that fiddler is on. I switched it off and eureka everything works !!! I do not know why but it is impossible to debug windows 8 WebAuthenticationBroker with fiddler. Make sure fiddler is off before using WebAuthenticationBroker. Enjoy Manu 
one comment