Home > Azure > Securing Web API using Azure Part – 1: Simple Web Tokens

Securing Web API using Azure Part – 1: Simple Web Tokens

In this post I am going to talk about some of the nuances of securing web API using Azure and in order to keep my post short and sweet I am going to cover how to configure relying party and generating the SWT Token using Azure.

First I went and created a new ASP.NET Web API Project in Visual Studio 2013 and I am going to go my azure management portal to configure this newly created web application as a Relying Party. This configuration of Relying party is similar to my previous post Implementing Single Sign-On using Azure and I highly recommend to read it before you read this one.

Next I am going to add a service identity with username and password and the simple web token will be generated using this identity information for authentication.

Service Identity for the ASP.NET Web API Service

Now we are going add our ASP.NET Web API Service as relying party as shown below.

Configure our ASP.NET Web API as Relying Party.

As you can see above that I am using SWT as the token format and use the Windows Azure Access Control Service as my Identity Provider also we need to create a rule group so we click on “Rule groups” and add a description and save the rule.

Create rule group

Now we are going to map incoming claims to outgoing claims like we did in the previous post, except that instead of an Azure website it is an ASP.NET Web API Service.

Claim Mapping in Rule

As you can see above nothing special here all I am saying is that when an input identifier claims has a value of “ServiceUser” then we want to return “prashant.brall” to action claim value. This is done just for illustration purposes only and in real life application the claim mapping can be assigning a specific API Key per consumer so that this key is sent as part of the SWT token for additional verification purposes.

Now we are going to the “Application Integration” option of the Azure Access Control Service and going to use the OAuth WRAP (Web Resource Authorization Protocol) as shown below.

OAuth Web Resource Authorization Protocol.

Lets put it all together and see the SWT Token live in action and instead of writing a program to test I am going to use Fiddler as I really like to see what is going across the wire at the raw http post level.

Generate SWT Token using Fiddler

and this is how the SWT Token looks like when I open in notepad.

Returned SWT Token from Azure ACS

As you can see I have highlighted the return claim value as “prashant.brall” and some returned encrypted token which we will cover in the next post. Also below is raw http post using Fiddler in case you want to use in your own Access Control Service.

POST https://prashantbrall.accesscontrol.windows.net/WRAPv0.9/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: prashantbrall.accesscontrol.windows.net
Content-Length: 95
Expect: 100-continue
Connection: Keep-Alive


  1. June 1, 2014 at 1:00 am

    I’ve been surfing online more than 4 hours today, yet I never found any interesting article like yours.
    It’s pretty worth enough for me. In my opinion, if all
    site owners and bloggers made good content as you did, the
    net will be much more useful than ever before.

  1. June 30, 2014 at 11:19 am
  2. July 31, 2014 at 8:34 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: