This project has moved and is read-only. For the latest updates, please go here.

Support delegation scenarios in Microsoft.Owin.Security.Jwt

Dec 7, 2013 at 7:46 PM
Edited Dec 8, 2013 at 11:30 AM
Yop ;)

Currently being migrating a few apps to OWIN JWT middleware, I have noticed that ActAs delegation scenarios are not currently supported, although Microsoft.Owin.Security.Jwt internally relies on the great JWT/WIF stack, which supports ClaimsIdentity.Actor serialization and deserialization.
After investigation, I have discovered that this is caused by an incorrect use in JwtFormat.Unprotect, which returns a limited copy of the ClaimsIdentity deserialized by JwtSecurityTokenHandler.

I see two options to solve this : directly return the original ClaimsIdentity (but its AuthenticationType will be set to Federation) or copy ClaimsIdentity.Actor and ClaimsIdentity.BootstrapContext in the returned identity.

Any chance you could take a look?


Edit: I'm also making tests to tweak TicketSerializer to support ClaimsIdentity.Actor (when JWT is not used) and JwtFormat to work in write-mode (thus JWT can be used with OAuthAuthorizationServerHandler). Let me know whether I can contribute or if someone is already working on this ;)
Dec 12, 2013 at 7:44 PM
I asked around and found out that actors are not part of JWT, they come from SAML. JWT has no official mechanic to support this.
Dec 12, 2013 at 8:03 PM
Edited Dec 12, 2013 at 9:18 PM
Niark niark, you've been misinformed... :P

Indeed, JwtSecurityTokenHandler - that we are successfully using with FederationAuthenticationModule - is definitely able to handle ClaimsIdentity.Actor through specific methods (CreateActorValue and ClaimsIdentityFromJwt), dedicated to the special "" claim.

After a few tests, it appears that my first suggestion was enough to support ActAs scenarios but I've discovered that it's easier to use the most complete ClaimsIdentity's constructor (IIdentity identity, IEnumerable<Claim> claims, string authenticationType, string nameType, string roleType), which copies ClaimsIdentity.Claims and ClaimsIdentity.Actor while allowing you to change the AuthenticationType :
var returnedIdentity = new ClaimsIdentity(identity: claimsIdentity, claims: null, authenticationType: "JWT", nameType: null, roleType: null);
That said, I think we could also support that in TicketSerializer through a recursive call when Microsoft.Owin.Security.Jwt is not used.