We're trying to extend our current infrastructure to be able to use WebApi/OAuth2 for our mobile apps. Currently we have been using SAML tokens for the mobile apps but it's to heavy. I was hoping somebody here could point me to the right direction for getting and ActAsToken for our already WIF protected WCF services ... We've come to a point were we have imported the AuthorizationServer from ThinkTecture into our solution, and we're now holding a fully legit JWT token which we use from our codeExample calling the WebApi. We've made the first call into the protected WebApi project and we can access the claims on the ClaimsPrincipal from within the WebApi.
So far, so good ... I've seen multiple examples on how to get into the secured WebApi and I've done that successfully with OAuth2. But now I need to get from the WebApi, down to the Middletier WCF services which are protected by WIF, using SAML tokens ( we still want to use the SAML tokens for the WCF services, we've already got the speed increase by getting the OAuth2 refresh_tokens/access tokens into our mobile devices ).
I'm wondering how we'll go from here, making an active signin against our StandardTokenService to get an SAML ActAs-token so the WebApi can call our middletier WCF services which are protected with SAML tokens. I found a similar post on this matter here; Identity Delegation ActAs with JsonWebToken but so far it's still unanswered. This post above has a similar setup to ours - we need to get a DelegationToken (ActAs) from our IDP, from our holding JWT OAuth2 token inside the WebApi project.
Am I missing something? I want to get the ActAs token from within the secured WebApi to be able to call the all our WCF services in the middletier which are already protected by WIF using SAML tokens. We want the mobile devices to contain the JWT refresh token/access tokens to speed things up ( instead of bullblown saml tokens ) but then we need to get the ActAs tokens, calling from the WebApi to be able to communicate with the WCF services on the middletier. The ideal solution would be to able to create a RequestSecurityToken (RST) with enough information populated from the JWT to be able to issue out a legit ActAs token ( before we populated the RequestSecurityToken (RST) from the SAML bootstraptoken ) for the WebApi to use.
Kind regards,
