I am trying to write a mobile application that will receive data from a website based on webapi.
The site must be secured through ACS (as there may be several identity providers).
My mobile application is currently requesting the following URL https://xx.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://xx.azurewebsites.net/&version=1.0 to get a list IP addresses
I then allow the user to select an IP address, and then using the web browser control, I show them the login.
As soon as the user is logged in, I capture the response and retrieve the token, but now I'm not quite sure what to do. The token is as follows: -
{"appliesTo":"http://****.azurewebsites.net/", "context":null, "created":1362069383, "expires":1362072983, "securityToken":"... a lot of text:-)", "tokenType":"urn:ietf:params:oauth:token-type:jwt"}
So, I assume that I should take the securityToken part and add that it has the authorization header part for the request for receipt?
Question 1: how should I attach a token - do I just attach a bit of a security token, or do I need to encode a batch of 64 bases and reattach it as an authorization header?
Question 2 How to configure webapi to handle JWT? After I changed the ACS for issuing JWT tokens and I set the JWTSecurityTokenHandler, I still get the following error (this is with passive authentication):
JWT10310: Unable to validate signature. validationParameters.SigningTokenResolver type: 'System.IdentityModel.Tokens.IssuerTokenResolver', was unable to resolve key to a token. The SecurityKeyIdentifier is: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x2FEE3EE96B019D4BA0C046124B77C652EEF768E5) ) '. validationParameters.SigningToken was null.
thanks
Ross
Ross dargan
source share