SWT token decrypt claim's value

Question

I'm integrating OData service with ACS. Everything works fine but when I get token in Authorization header value is encrypted. Example (it's already URL decoded):

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=mYuAaeTWh6vbXFGCMZPqeTm5dpPnq8e3MaB2cmiwBWQ=&http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=mYuAaeTWh6vbXFGCMZPqeTm5dpPnq8e3MaB2cmiwBWQ=&http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider=uri:WindowsLiveID&Audience=owl:service&ExpiresOn=1329848740&Issuer=https://wk-owl-access.accesscontrol.windows.net/&HMACSHA256=6Anfv5K47I1e+FkwrnA8/5ZIvlnjfUanFZsDB/p/0J0=

The claim like http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name is encrypted. How I can decrypt it?

Andrew Lavers Andrew Lavers · Accepted Answer · 2012-02-28T17:32:55

Your nameidentifier is not encrypted, it's hashed. Unfortunately LiveID doesn't issue any user claims apart from a unique ID that's hashed for each audience it issues tokens to (in this case ACS).

Other identity providers built in to ACS do issue claims, but to get claims from LiveID I believe you would need to use the new Live Connect REST API http://msdn.microsoft.com/en-us/library/live/hh243648.aspx Unfortunately this LiveID login API is not yet integrated with ACS, you would have to interact with it directly.

What's interesting is your name and nameidentifier claims are the same. Do you have a rule in ACS to output the liveID issued nameidentifier as a name claim?

SWT token decrypt claim's value

1 Answers