WIF based OAuth WRAP Issuer

WIF provides an API to develop Security Token Services (STSs) which can then be exposed using either WS-Trust (Active-STS) or WS-Federation(Passive-STS) protocols. As mentioned in last post, WIF currently doesn’t support OAuth WRAP protocol so out of box a WIF based SecurityTokenService cannot be used as an OAuth WRAP issuer. In this post, I’ll show you some extensions I have created to expose a service, based on WIF’s token issuance object model (SecurityTokenService, RequestSecurityTokenRequest etc), as an OAuth WRAP issuer.

1: Create an issuer using the standard WIF approach. The only difference is that I’m using a symmetric key for signatures.

public class OAuthIssuer : SecurityTokenService


    public OAuthIssuer(SecurityTokenServiceConfiguration config):base(config){}  


    protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal

principal, RequestSecurityToken request, Scope scope)  


        return new ClaimsIdentity(new Claim[] {

            new Claim(ClaimTypes.Name, "John"),

            new Claim("email", "John@test.com") });



    protected override Scope GetScope(IClaimsPrincipal principal,

RequestSecurityToken request)


        var scope =  new Scope  


            AppliesToAddress = request.AppliesTo.Uri.AbsoluteUri  


        scope.TokenEncryptionRequired = false 

        scope.SymmetricKeyEncryptionRequired = false 

        scope.SigningCredentials =

new SymmetricSigningCredentials("Sapm9PPZZHlo=");  

        return scope;  




2: Host the issuer using following code:

var config = new OAuthIssuerConfiguration()  


    SecurityTokenService = typeof(OAuthIssuer 



config.TokenIssuerName = "MyCustomIssuer" 


config.SecurityTokenHandlers.AddOrReplace(new CustomUserNameSecurityTokenHandler  


    UserNamePasswordValidator = (uid, pwd) =>  


        Console.WriteLine(uid + " validated."); 




var sh = new OAuthServiceHost(config, new Uri("http://localhost:9111"));  



That’s it, A WIF based OAuth WRAP issuer is ready.

OAuthServiceHost inherits from WCF WebServiceHost and exposes a fixed OAuth WRAP contract to the outside world.

public class OAuthServiceHost : WebServiceHost  


    internal OAuthIssuerConfiguration Configuration { get; set; }  


    public OAuthServiceHost(OAuthIssuerConfiguration config)  

        : this(config, null) { }  


    public OAuthServiceHost(OAuthIssuerConfiguration config, Uri baseAddress)  

        : base(typeof(OAuthIssuerContract), baseAddress)  


        this.Configuration = config;  




The implementation of OAuth WRAP contract transforms the incoming token issuance request into WIF’s token issuance object model (RequestSecurityTokenRequest etc) and starts the token issuance pipeline. At the end of the pipeline, it packages the final set of claim in a  Simple Web Token and returns it back.

Source code


Originally posted by Zulfiqar Ahmed on August 13th 2010 here: http://zamd.net/2010/08/

Comments (0)

Skip to main content