Obtaining JWT tokens from ADFS for WAP

On the Windows Azure Platform a JWT token (http://openid.net/specs/draft-jones-json-web-token-07.html ) is needed for accessing the TenantAPI or AdminAPI. The token is obtained from the ADFS web service using the System.IdentityModel.Protocols.WSTrust RequestSecurityToken and RequestSecurityTokenResponse + related .Net classes. There is however a more direct way of obtaining the token that can be used on any platform.

The steps have previously outlined in http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/ but unfortunately this page seems to currently be unavailable.

The ADFS provide a number of web service endpoints. Here we use /adfs/services/trust/13/usernamemixed on the ADFS host, over HTTPS.

This web service expects the following SOAP request for issuing a token:

The SOAP Header must contain $sendTo which is the URL where the WebService endpoint is located, $Username & $password is the username/password of the user for which the token is being generated. The SOAP Body must contain $applyTo which is in the WAP context, either “”http://azureservices/TenantSite” or http://azureservices/AdminSite depending on if the Tenant or Admin API is being used. The $tokenType is “urn:ietf:params:oauth:token-type:jwt” in case of JWT and the request type is set to issue a new token. The specifications listed in the XML can be used for gathering more information.

The xml SOAP request above with the appropriate variable assignments can then be sent to the web service that responds with a SOAP response. The SOAP response envelope body element contains a RequestSecurityTokenResponseCollection element with a RequestSecurityTokenResponse. Inside this element the token is found as the text of the RequestedSecurityToken element. This text is Base64 encoded UTF8. The text hence needs to be base64 decoded in order to obtain the token.

In PowerShell the token can hence be obtained using the following code:

The token can subsequently be used with either the WAP Admin API or the Tenant API when making Rest requests. For example WAP plans can be obtained using the following PowerShell code:

This post is written our colleague Anders Aspnäs.


Leave a Reply

Your email address will not be published. Required fields are marked *