Decrypting OWIN Authentication Ticket

Home / Decrypting OWIN Authentication Ticket

Being able to decrypt the OWIN AuthenticationTicket can be very useful. In the cases where the cookie/tickets are shared across applications, this is especially true.

Interestingly, if you’re using OWIN for both cookie-based authentication and access tokens, the Ticket is stored in both mediums.

With that in mind, the easiest method to decrypt a ticket to access claims, etc is to simply stand up a protected Resource server with a single Api endpoint to display the contents of the ticket. Going this route, the decryption is automatically handled by OWIN with very little code. The endpoint can be accessed by a user’s browser (decrypting the cookie) or by a server passing in a Bearer token.

Here’s an example that simply displays all of the user’s claims from either an AccessToken or Cookie:

// Allow CORS for all origins.
[EnableCors(origins: "*", headers: "*", methods: "*")]
public class UserController : ApiController
    public object Get()
        var identity = this.User.Identity as ClaimsIdentity;            
        var roleClaims = identity.Claims.Where(x => x.Type == ClaimsIdentity.DefaultRoleClaimType).Select(x => x.Value).ToList();
        var nonRoleClaims = identity.Claims.Where(x => x.Type != ClaimsIdentity.DefaultRoleClaimType).Select(x => new { Type = x.Type, Value = x.Value }).ToList();
        return new { name = identity.Name, roles = roleClaims, claims = nonRoleClaims };

In the case where we’re designing an SSO system, in which multiple applications are sharing the auth cookie and machineKeys, which OWIN uses for encryption/decryption, and also hooking into the Middleware, we can decrypt the Access Token returned from the authorization code flow directly. To accomplish this, we implement the IDataProtector interface and use the System.Web.Security.MachineKey.Unprotect method.

/// <summary>
/// Helper method to decrypt the OWIN ticket
/// </summary>
private class MachineKeyProtector : IDataProtector
    private readonly string[] _purpose =

    public byte[] Protect(byte[] userData)
        throw new NotImplementedException();

    public byte[] Unprotect(byte[] protectedData)
        return System.Web.Security.MachineKey.Unprotect(protectedData, _purpose);

To utilize this, we just create an instance and pass in the Token to get the decrypted Ticket:

var secureDataFormat = new TicketDataFormat(new MachineKeyProtector());
AuthenticationTicket ticket = secureDataFormat.Unprotect(accessToken);

The AuthenticationTicket itself contains the ClaimsIdentity and a Dictionary of Properties. This can be useful for a number of things from testing to hooking into the MiddleWare and creating our own local ticket/cookie without the need to go back against the protected Resource provider.

On a side note, I did notice that the version of OWIN across machines has to match. IE – I had one application running OWIN v3 and another running v2. They could neither decrypt the tickets between them nor utilize the shared domain cookie.

Leave a Reply