Search code examples
c#asp.netowinkatanaadfs3.0

How to get bearer token from WsFederationAuthentication to send to API

Been fighting with trying to extract the bearer token after authenticating against ADFS...

I have an API that will accept a Bearer token and validate it against ADFS.

I have a Web Forms (.net 4.5.1) app that I am modifying to use ADFS 3.0 to implement SSO authentication. So far it authenticates properly against the ADFS server (presents to ADFS login page and logs in).

My issue is that I now want the WebForms app to call my Web API using the bearer token I hope is present somewhere in the returned response from ADFS, but where is it and how can I retrieve it?

I tried using the SecurityTokenValidated and the SecurityTokenReceived WsFederationAuthenticationNotifications events as in the following:

public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, // "WS-Fed Auth (Primary)",
                    Wtrealm = realm,
                    MetadataAddress = metadata,
                    Notifications = new WsFederationAuthenticationNotifications
                    {
                        AuthenticationFailed = context =>
                        {
                            context.HandleResponse();
                            context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
                            return Task.FromResult(0);
                        },

                        SecurityTokenValidated = token =>
                            {
                                Token = token.AuthenticationTicket.ToString();
                                return Task.FromResult(0);
                            },

                        SecurityTokenReceived = token =>
                        {
                            Token = token.ToString();
                            return Task.FromResult(0);
                        }
                    }
                });
}

But I can't find the token anywhere in the objects returned by the events... What am I missing?

Thanks for all help.

Solution

  • The token you receive as part of your web sign on is not suitable for calling a web API, for two reasons: A) the audience of the token is the webform app, while the web API should only accept tokens where the audience correspond to the web API - doing otherwise will open you up to man in the middle attacks and B) the token you get form ADFS is a SAML token, which can be pretty big hence unsuitable to be included an in HTTP header (the canonical way of including a bearer token for calling a web API). If you decide to ignore the above and use that token anyway - in Acquiring an Access token by using JWT used for AzureBearerAuthentication you can find the code necessary to extract the bits of the incoming token. It works with both openid connect and oauth middleware.