0

I am building two seperate ASP.Net WebApi applications, which will run under the same domain (not subdomain) plus one STS that handles the authentification and will be the user account store.

The client connects with breeze.js/angular.js to that APIs. So i think JWT (JSON Web Token) will be my choice for tokens as i don't want to use forms auth.

How do i accomplish trust between the STS and the apps just by the domain name? I found some WS-Federation trust samples but i think that is such an overkill of what i need to build.

Andreas Neumann
  • 364
  • 1
  • 3
  • 12

1 Answers1

2

Not sure what you mean with "by domain name".

The typical flow would be:

  • client requests a (JWT) token from an authorization server (using OAuth2)
  • client sends the token to the API using the authorization header

The JWT is signed by the authorization server - the API verifies the signature.

So trust between the API and the authorization server is established by being able to validate the token (using the signature, issuer name and audience name).

see also here: https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Ok, thanks. I misunderstood something. I create the token on the auth server side, than send it to the client who's passing it to my APIs with the _Bearer_ header. Than i get the Principal with `JwtSecurityTokenHandler.ValidateToken(token, params)` Would `AllowedAudience` and `ValidIssuer` from the ValidationParameters be my domain `http://example.test` ? – Andreas Neumann Mar 13 '14 at 09:39
  • The audience is just a value that issuer and resource need to agree on. It has nothing to do with a domain name. – leastprivilege Mar 13 '14 at 14:47