{"id":2501,"date":"2013-10-25T02:01:26","date_gmt":"2013-10-25T09:01:26","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=2501"},"modified":"2013-10-25T02:03:03","modified_gmt":"2013-10-25T09:03:03","slug":"securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2013\/10\/25\/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier\/","title":{"rendered":"Securing a Web API with ADFS on WS2012 R2 Got Even Easier"},"content":{"rendered":"<p>Few weeks ago I gave you <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/30\/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana\/\">a taste<\/a> of how you can use the modern ASP.NET OWIN stack for securing a Web API with tokens obtained from the latest ADFS version, the one in Windows Server 2012 R2. The flow I <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/30\/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana\/\">described<\/a> was definitely easier than the one you\u2019d have to implement should you choose to use the JWT handler directly, but it still required quite a lot of code.<\/p>\n<p>Well, good news! With the RTM of VS2013, we now have few new toys we can play with to make things easier. And that\u2019s what I am going to do here.<\/p>\n<h2>Walkthrough<\/h2>\n<p>To make things more interesting, I am going to use the same sections structure I have used for the <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/30\/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana\/\">old tutorial<\/a> but I\u2019ll do few things differently, so that if you want to mix &amp; match features you can take one section from here, and another from <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/30\/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana\/\">there<\/a>. <\/p>\n<p>The scenario I want to implement is practically the same, to the point that I can paste the old description (almost) verbatim:<\/p>\n<blockquote>\n<p>The scenario we want to implement is pretty simple: we want to restrict access to an MVC<font color=\"#ff0000\">5<\/font> Web API to the users of a given on-premises AD instance, which happens to be using Windows Server 2012 R2 ADFS (just \u201cADFS\u201d from now on). Furthermore, we want to expose the Web API to the user via a <font color=\"#ff0000\">.NET application<\/font>.<\/p>\n<\/blockquote>\n<p>I have highlighted the differences in <font color=\"#ff0000\">red:<\/font><\/p>\n<ul>\n<li>This time I will take advantage of the new features in VS2013 to make things quicker, hence we\u2019ll be playing with the latest Web API; but yo can obtain the same result if you build the project \u201cby hand\u201d if you still w ant to target VS2012\n<li>Between the time I wrote the old tutorial and today lots of things happened \u2013 and one of the most relevant for this is that <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/09\/12\/active-directory-authentication-library-adal-v1-for-net-general-availability\/\">ADAL .NET hit GA<\/a>! Hence, here\u2019 I\u2019ll use ADAL .NET for building the test client. Note that if you want to stick with Windows Store you can follow the same instructions as the old tutorial, the resulting client will work just fine with the Web API described here.<\/li>\n<\/ul>\n<h3>Setting Up the Web API Project<\/h3>\n<p>As I described <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/09\/09\/whats-new-for-organizational-accounts-in-visual-studio-2013-rc\/\">here<\/a>, since RC VS2013 supports the <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/09\/09\/whats-new-for-organizational-accounts-in-visual-studio-2013-rc\/\">creation of Web API projects secured via Windows Azure AD organizational accounts<\/a>.<\/p>\n<p>Now, that\u2019s not *exactly* what we want to do here: here we want to secure the Web API with Windows <em>Server<\/em> AD. The templates do not currently support our target scenario directly as of today; that said, the project they generate comes pretty darn close to what we need, hence the fastest way is to create a Windows Azure AD-secured Web API project and tweak its code afterwards. Go ahead and create such a project, you can use <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/09\/09\/whats-new-for-organizational-accounts-in-visual-studio-2013-rc\/\">this<\/a> as a rough reference. I have only one small suggestion: when you go through the authentication settings wizard, expand \u201cmore options\u201d and change the default \u201cApp ID URI\u201d (which is based on the windows azure AD tenant, which you will not use beyond this point) into something that will make sense for your service on-premises. Something like the following:<a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image25.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border-top-width: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb25.png\" width=\"640\" height=\"380\"><\/a><\/p>\n<p>Done? Excellent! Now you have a project ready to tweaked. Also, you have an application entry in your directory that you\u2019ll never use: next time you swing by the Windows Azure portal, remember to delete it to tidy up<img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"><\/p>\n<p>Alright, tweaking time! Go under App_Start and open Startup.Auth.cs. You\u2019ll find the following code:<\/p>\n<pre class=\"csharpcode\"><span class=\"kwrd\">public<\/span> <span class=\"kwrd\">partial<\/span> <span class=\"kwrd\">class<\/span> Startup\r\n{\r\n    <span class=\"kwrd\">public<\/span> <span class=\"kwrd\">void<\/span> ConfigureAuth(IAppBuilder app)\r\n    {\r\n        app.UseWindowsAzureActiveDirectoryBearerAuthentication(\r\n            <span class=\"kwrd\">new<\/span> WindowsAzureActiveDirectoryBearerAuthenticationOptions\r\n            {\r\n                Audience = ConfigurationManager.AppSettings[<span class=\"str\">\"ida:Audience\"<\/span>],\r\n                Tenant = ConfigurationManager.AppSettings[<span class=\"str\">\"ida:Tenant\"<\/span>]\r\n            });\r\n    }\r\n}\r\n<\/pre>\n<style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<p>Looks familiar? Of course it does. It is the code which inject OWIN middleware with the longest name on the planet, which also happens to secure <\/p>\n<p>calls by validating incoming tokens as coming from the indicated Windows Azure AD tenant.<\/p>\n<p>During last tutorial I created a custom class for overriding the default behavior of that middleware, to source the validation keys form the ADFS metadata instead of from the Windows Azure AD tenant metadata. However, I also mentioned that such trick would soon be no longer necessary.<br \/>Well, guess what: it is no longer necessary <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"> &#8211; the inimitable Barry added a specialized middleware for ADFS, which looks just as simple as the Windows Azure one. Comment out the call to UseWindowsAzureActiveDirectoryBearerAuthentication and substitute it with the following:<\/p>\n<pre class=\"csharpcode\">app.UseActiveDirectoryFederationServicesBearerAuthentication(\r\n    <span class=\"kwrd\">new<\/span> ActiveDirectoryFederationServicesBearerAuthenticationOptions\r\n    {\r\n        Audience = ConfigurationManager.AppSettings[<span class=\"str\">\"ida:Audience\"<\/span>],\r\n        MetadataEndpoint = ConfigurationManager.AppSettings[<span class=\"str\">\"ida:MetadataEndpoint\"<\/span>]\r\n    });\r\n<\/pre>\n<style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<p>Super-straightforward! All you need to do next is to go in the AppSettings in web.config and add the following entry for your ADFS\u2019s metadata doc address:<\/p>\n<pre class=\"csharpcode\"> <span class=\"kwrd\">&lt;<\/span><span class=\"html\">add<\/span> <span class=\"attr\">key<\/span><span class=\"kwrd\">=\"ida:MetadataEndpoint\"<\/span> \r\n<span class=\"attr\">value<\/span><span class=\"kwrd\">=\"https:\/\/sts.contoso100.com\/federationmetadata\/2007-06\/federationmetadata.xml\"<\/span> <span class=\"kwrd\">\/&gt;<\/span><\/pre>\n<style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<p>&nbsp;<\/p>\n<p>That is all. Quite the improvement <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"> keep the shell open, we\u2019ll need it gain soon.<\/p>\n<h3>Setting up the Web API in ADFS<\/h3>\n<p>In the old tutorial I gave you detailed step by step instructions on how to use the ADFS management UX to register the web API as a relying party trust. Given that it was quite a lot of screenshots, I didn\u2019t feel like doing it all over again: hence I asked my friend Jairo Cadena, PM on the ADFS team, for a little help in coming up with the most compact PowerShell script he could come out with for the purpose. The results are pretty awesome, all you need is a single well-crafted line! <br \/>Log in your server on which ADFS is running, and launch PowerShell from the server manager; then, modify the following line to use the coordinates of your web API and paste it right at the prompt:<\/p>\n<p><font face=\"Courier New\">Add-ADFSRelyingPartyTrust -Name MyWebAPI -Identifier <\/font><a href=\"http:\/\/myadfsvagaries\/webapi\"><font face=\"Courier New\">http:\/\/myadfsvagaries\/webapi<\/font><\/a><font face=\"Courier New\"> -IssuanceAuthorizationRules &#8216;=&gt; issue(Type = &#8220;<\/font><a href=\"http:\/\/schemas.microsoft.com\/authorization\/claims\/permit&quot;\"><font face=\"Courier New\">http:\/\/schemas.microsoft.com\/authorization\/claims\/permit&#8221;<\/font><\/a><font face=\"Courier New\">, Value = &#8220;true&#8221;);&#8217; -IssuanceTransformRules &#8216;c:[Type == &#8220;<\/font><a href=\"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress&quot;]\"><font face=\"Courier New\">http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress&#8221;]<\/font><\/a><font face=\"Courier New\"> =&gt; issue(claim = c);&#8217;<\/font><\/p>\n<p>Hit enter and \u2013 magic \u2013 your API is now provisioned as a known RP in ADFS. <\/p>\n<h3>Setting Up a Test Client Project in ADFS and in Visual Studio<\/h3>\n<p>We\u2019re almost done: here I am going to follow a simplified flow which will make things much faster.<\/p>\n<h4>Registering a client in ADFS<\/h4>\n<p>In the old tutorial I wanted to show you how to leverage the WebAuthenticationBroker\u2019s SSO mode, which requires you to use as Redirect URI the identifier of the Windows Store app, which in turn needs you to do some work to find out its value. However here I am using ADAL .NET, which does not really have a SSO mode (there\u2019s no need for it on the desktop, given that there are no sandboxing rules to relax with special modes). Also, .NET apps don\u2019t have such identifiers. Hence, pretty much any URI will do! Given that you still have the PowerShell open, go ahead and paste something to the effect of the following:<\/p>\n<p><font face=\"Courier New\">Add-ADFSClient -Name &#8220;MyClient&#8221; -ClientId &#8220;E1CF1107-FF90-4228-93BF-26052DD2C714&#8221; -RedirectUri &#8220;http:\/\/anarbitraryreturnuri\/&#8221;<\/font><\/p>\n<p>Done. ADFS has an entry for the client too.<\/p>\n<h4>Create the Client Project<\/h4>\n<p>Here any rich client project type will do: WPF, WInForm, even a console app (though in that case make sure you place [STAThread] where you\u2019ll run ADAL). I am building a WPF app here, for old times\u2019 sake <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"><\/p>\n<p>Add a reference to the ADAL NuGet. Make sure you don\u2019t pick the beta! (I know, I know\u2026 we\u2019ll tidy up soon).<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image26.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb26.png\" width=\"640\" height=\"425\"><\/a><\/p>\n<p>Add a button and double click on it to generate an event handler. Here, add the following:<\/p>\n<pre class=\"csharpcode\"><span class=\"kwrd\">private<\/span> async <span class=\"kwrd\">void<\/span> Button_Click(<span class=\"kwrd\">object<\/span> sender, RoutedEventArgs e)\r\n{\r\n    <span class=\"kwrd\">string<\/span> authority = <span class=\"str\">\"https:\/\/sts.contoso100.com\/adfs\"<\/span>;\r\n    <span class=\"kwrd\">string<\/span> resourceURI = <span class=\"str\">\"http:\/\/myadfsvagaries\/webapi\"<\/span>;\r\n    <span class=\"kwrd\">string<\/span> clientID = <span class=\"str\">\"E1CF1107-FF90-4228-93BF-26052DD2C714\"<\/span>;\r\n    <span class=\"kwrd\">string<\/span> clientReturnURI = <span class=\"str\">\"http:\/\/anarbitraryreturnuri\/\"<\/span>;\r\n\r\n    <font style=\"background-color: #00ff00\">AuthenticationContext ac = \r\n        <span class=\"kwrd\">new<\/span> AuthenticationContext(authority, <span class=\"kwrd\">false<\/span>);\r\n    AuthenticationResult ar = \r\n        ac.AcquireToken(resourceURI, clientID, <span class=\"kwrd\">new<\/span> Uri(clientReturnURI));<\/font>\r\n\r\n<font style=\"background-color: #00ff00\">    <span class=\"kwrd\">string<\/span> authHeader = ar.CreateAuthorizationHeader();<\/font>\r\n    HttpClient client = <span class=\"kwrd\">new<\/span> HttpClient();\r\n    HttpRequestMessage request =\r\n        <span class=\"kwrd\">new<\/span> HttpRequestMessage(HttpMethod.Get, <span class=\"str\">\"https:\/\/localhost:44302\/api\/Values\"<\/span>);\r\n    request.Headers.TryAddWithoutValidation(<span class=\"str\">\"Authorization\"<\/span>, authHeader);\r\n    HttpResponseMessage response = await client.SendAsync(request);\r\n    <span class=\"kwrd\">string<\/span> responseString = await response.Content.ReadAsStringAsync();\r\n    MessageBox.Show(responseString);\r\n}\r\n<\/pre>\n<p><style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<\/p>\n<p>By now you know that the actual ADAL code&nbsp; is only in the three <font style=\"background-color: #00ff00\">highlighted<\/font> lines above, to 1) initialize the authority to point to ADFS 2) obtain a token for the resource and 3) put it in form of header &#8211; everything else is there for legibility and for the REST call to the API.<\/p>\n<p>Don\u2019t forget to add usings for Microsoft.IdentityModel.Clients.ActiveDirectory and System.Net.Http. You need to add a reference to System.Net.Http BTW. Also, note the async keyword in the handler declaration.<\/p>\n<h4>Testing the Solution<\/h4>\n<p>Let\u2019s test the solution. Start the Web API in debug mode. <\/p>\n<blockquote>\n<p>Small aside: if you have a spank-new system (as it\u2019s the case for me <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"> Surface Pro 2, baby!) chances are that when starting the web API you\u2019ll get the following:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image27.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb27.png\" width=\"640\" height=\"384\"><\/a><\/p>\n<p>That\u2019s because the Web API is creating the SSL channel using the development certificate from IIS Express, which is of course untrusted. For web based apps that can stay that way, given that you always have the option of hitting \u201ccontinue\u201d. However for Web API scenarios that\u2019s more problematic, given that clients will refuse to establish an SSL channel with an untrusted SSL certificate. Here you have 2 options: install the certificate among the trusted roots of the development machine (easy to do: hit continue, click \u201ccertificate error\u201d on the IE bar, click view certificates, click install certificate, choose local machine\/trusted roots certification authorities) or disable the channel check in the client application. Personally I much prefer the former, given that with the latter you risk forgetting to fix the code before deploying to production.<\/p>\n<\/blockquote>\n<p>Once the API is running, start the client as well. <\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image28.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb28.png\" width=\"640\" height=\"430\"><\/a><\/p>\n<p>Hit the button. You\u2019ll be prompted by the usual ADAL dialog, pointed to our ADFS test instance. Sign in.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image29.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb29.png\" width=\"396\" height=\"480\"><\/a><\/p>\n<p>Once you enter your credentials, voila\u2019!<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image30.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb30.png\" width=\"640\" height=\"429\"><\/a><\/p>\n<p>The dialog demonstrates that the Web API was successfully called, concluding our little walkthrough. If you want to make sure the check is really taking place, try to mess with the auth string before sending it and observe the results <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"><\/p>\n<h3>Wrap<\/h3>\n<p>Wow. I wrote the first <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/30\/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana\/\">tutorial<\/a> on how to use ADFS for securing Web API at the end of July: in less than 3 months, things got dramatically simpler \u2013 just compare the length of the old tutorial (which in itself depended on yet <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/07\/23\/securing-a-web-api-with-windows-azure-ad-and-katana\/\">another one<\/a>) with the length of this!<\/p>\n<p>Not only things got simpler, the products involved (Windows Server 2012 R2 and ADAL .NET) are now generally available for your to use in production. If you are working on a solution using those technologies, we want to hear form you! Hit me on my <a href=\"https:\/\/www.cloudidentity.com\/blog\/contact\/\">contact page<\/a> and I\u2019ll be happy to route you accordingly <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-bottom-style: none; border-right-style: none; border-left-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile4.png\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Few weeks ago I gave you a taste of how you can use the modern ASP.NET OWIN stack for securing a Web API with tokens obtained from the latest ADFS version, the one in Windows Server 2012 R2. The flow I described was definitely easier than the one you\u2019d have to implement should&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2498,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=2501"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2501\/revisions"}],"predecessor-version":[{"id":2502,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2501\/revisions\/2502"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/2498"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=2501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=2501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=2501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}