Comments for www.leastprivilege.com

Comment on UserName SupportingToken in WCF by smitha

smitha — Sun, 19 May 2013 03:11:50 +0000

Thank you .. so much.. I have a soap xml request which need username token with nonce, 2 binary securitytokens(supporting tokens).. and body of the soap encrypted, ciphered. I am doing this is using C#, wcf. Hopefully this usernametoken sample can provide me some insight..Please let me know if you have some info to accomplish this.

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Rasheed

Rasheed — Sat, 18 May 2013 11:57:17 +0000

Thank you for the hints. With fiddler and a few trials, I was able to generate an hardcoded security token that is exactly the same as the token generated by the identity server v2. So now I can use the CurrentPrincipal.Current from the web app and send the identity of the current user to the WCF service using (one leg) of the WS-Trust protocol and when are ready with the STS installation/configuration only the values of the web.config will change and the call to the STS to get the security token before calling the WCF service.

You can find the code source here : https://bitbucket.org/rachkoud/hardcoded-token/wiki/Home

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Dominick Baier

Dominick Baier — Fri, 17 May 2013 18:47:30 +0000

Just use the service host factory from IdentityServer as a template.
I am offline now for a week.

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Pat

Pat — Fri, 17 May 2013 18:45:50 +0000

Hi Dominick,
Thank you for your help.
I started implementing a class that implements ServiceHostFactory, however I am having a tough time mapping the service name in the web.config to the class that implements ServiceHostFactory

I keeps forcing me to map service name to object that is implemented as the code behind for the svc file.
I keep getting this error:
Service ‘System.ServiceModel.Security.WSTrustServiceContract’ has zero application (non-infrastructure) endpoints. This might be because no configuration file was found for your application, or because no service element matching the service name could be found in the configuration file, or because no endpoints were defined in the service element.

Hope that makes sense.

- Pat

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Dominick Baier

Dominick Baier — Fri, 17 May 2013 13:07:13 +0000

Well – this is doable but not straightfoward – the principal steps are:

Create a SecurityTokenDescriptor to describe your token, use that to feed the saml security token handler CreateToken method.

Then use WriteToken and turn the result into a GenericXmlSecurityToken. That token can then be used to with CreateChannelWithIssuedToken.

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Rasheed

Rasheed — Fri, 17 May 2013 10:07:42 +0000

Hello Dominick,

I followed your courses on PluralSight and you’ve done a great job, I highly recommand them. I’m in the process of securing my WCF services and before installing an STS in our environment, I would like to send an hardcoded token, I can’t find a piece of code to do that, I would like to use the same code as above except that create my hardcoded token instead of request it, like this :

…
var myHarded = .. // How can I create this token? That will be valid on the server side with the same server config as above (audienceUris, issuerNameRegistry, ..), also a bearer token.

// create channel with specified token
var proxy = factory.CreateChannelWithIssuedToken(myHardedToken);

var id = proxy.GetIdentity();

How can I do that?

Thanks
Rasheed

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Dominick Baier

Dominick Baier — Fri, 17 May 2013 06:58:06 +0000

You can use WSTrustServiceHost e.g. this hosts a WSTrustServiceContract, which implements the various IWSTrustxxx interfaces. So nothing has really changed between WIF and .NET 4.5 (besides the namespaces and assembly names).

Comment on Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler by ASP.NET Web API Authentication: Using multiple (simultaneous) Authentication Methods with Thinktecture AuthenticationHandler | www.leastprivilege.com

Thu, 16 May 2013 17:59:55 +0000

[…] possible to support multiple authentication methods with AuthenticationHandler.(see here, here and here for some background). I simply stopped searching for other credentials once I found one of the […]

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by ASP.NET Web API Authentication: Using multiple (simultaneous) Authentication Methods with Thinktecture AuthenticationHandler | www.leastprivilege.com

Thu, 16 May 2013 17:59:52 +0000

[…] it was possible to support multiple authentication methods with AuthenticationHandler.(see here, here and here for some background). I simply stopped searching for other credentials once I found one of […]

Comment on ASP.NET Web API Security: The Thinktecture.IdentityModel AuthenticationHandler by ASP.NET Web API Authentication: Using multiple (simultaneous) Authentication Methods with Thinktecture AuthenticationHandler | www.leastprivilege.com

Thu, 16 May 2013 17:59:49 +0000

[…] day one it was possible to support multiple authentication methods with AuthenticationHandler.(see here, here and here for some background). I simply stopped searching for other credentials once I found […]

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Pat

Pat — Thu, 16 May 2013 01:51:08 +0000

Hi Dominick,
Thanks for getting back.

I notice that in .Net 3.5 we could implement
in the web.config towards implementing an ActiveSTS

I think we cant do that anymore in .Net 4.5. How does one go about implementing something similar in .Net 4.5?

Thanks
Pat

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Dominick Baier

Dominick Baier — Wed, 15 May 2013 03:11:47 +0000

Well – SCT is WS-SecureConversation (establishSecurityContext on the binding). You typically disable that, because you don’t want sessions. Especially on the STS.

IdentityServer has all you need – look for the service host factory in the WS-Trust folder of the Protocols project.

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Pat

Pat — Tue, 14 May 2013 22:17:22 +0000

Hi
I can’t find a small sample of an Active STS using certificates anywhere. Microsoft has released a few sample but none of Active STS implemetnation. They keep pushing use of ADFS or Azure for STS. This post comes closest to any sample code. Thank you for that.

I have looked at the thinktecture project and that is way more extensive than a simple sample. I have also seen all your pluralsight videos but I dont think there is a description of developing Active STS.

I have setup an Active STS but I keep getting the error

The message with Action ‘http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT’ cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver. Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None).

Any ideas where to look?
Thanks
Pat

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Utsav Vishnoi

Utsav Vishnoi — Tue, 14 May 2013 10:10:52 +0000

Hi Dominick,
Thanks for your response and guidance.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Dominick Baier

Dominick Baier — Tue, 14 May 2013 10:03:57 +0000

I am not using ACS nor OAuth. You could use the JsonWebTokenHandler class from Thinktecture.IdentityModel. But I really recommend using the Microsoft JWT handler since this supports signing with X.509 certs – and I don’t.

http://msdn.microsoft.com/en-us/library/dn205065.aspx
http://www.cloudidentity.com/blog/2012/11/20/introducing-the-developer-preview-of-the-json-web-token-handler-for-the-microsoft-net-framework-4-5-2/

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Utsav Vishnoi

Utsav Vishnoi — Tue, 14 May 2013 09:58:53 +0000

Hi Dominick,

Thanks for your your reply. Can you please share any Sample in which you explain how you are generating Json Web Token using ThinkTecture? Please guide me may be I am wrong. As per my understanding after looking in to your library, you are using ACS internally. You are generating Json Web token using OAuth class. Please suggest any better way to generate Json Web Token using ThinkTecture.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Dominick Baier

Dominick Baier — Tue, 14 May 2013 09:49:27 +0000

You don’t need my library for that. That’s built straight into Microsoft’s JWT handler.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Utsav Vishnoi

Utsav Vishnoi — Tue, 14 May 2013 09:47:55 +0000

Hi Dominick,
I am new to ThinkTecture and just want to know that can we use X509 certificates to sign JSON Web token using ThinkTecture ?

Comment on Using Claims-based Authorization in MVC and Web API by Ibraheem

Ibraheem — Mon, 13 May 2013 18:36:42 +0000

Thanks for the great article. With regards to the comments that refer to how claims should be mapped to authorizations, IMO a nice pattern would be to have roles contain a collection of authorizations. Your claim could be for a role, or for an authorization. As long as the role contains the authorization, it can be considered as being the authorization. Your CheckAccess(authorization) logic can then use the claim whether its for an authorization explicitly, or for a role that contains the authorization.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Prasad

Prasad — Mon, 13 May 2013 13:42:27 +0000

Token contains claims and signature.I didn’t understand what is mean by signature at developing time.I mean how can we implement and how exactly the certificate will play a role

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Dominick Baier

Dominick Baier — Sat, 11 May 2013 08:23:59 +0000

It’s IdentityController in Common.

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Karel Vandenhove

Karel Vandenhove — Fri, 10 May 2013 18:47:06 +0000

Hi,
This must be a stupid question, but where can I find the /webapisecurity/api/ controller for the Web Api Security Project?
I’ve got the FormsAndBasicAuth running, but cannot get to the /webapisecurity/api/

Thanks!

Karel

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Dominick Baier

Dominick Baier — Fri, 10 May 2013 07:25:17 +0000

Explain.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Prasad

Prasad — Fri, 10 May 2013 07:22:42 +0000

Hi Dominick,will you please say,what is mean by signature in token?How can we implement in .net?

Comment on UserName SupportingToken in WCF by Dominick Baier

Dominick Baier — Fri, 10 May 2013 06:25:58 +0000

How about this file? http://sdrv.ms/11p5nNa

Comment on Archive by Dominick Baier

Dominick Baier — Fri, 10 May 2013 06:25:18 +0000

How about this file? http://sdrv.ms/11p5nNa

Comment on UserName SupportingToken in WCF by smitha

smitha — Fri, 10 May 2013 03:10:18 +0000

ya looked in jan 2008 archives no code which i could download. Ii have posted my question of stack overflow. http://stackoverflow.com/questions/16467898/public-certificate-private-key-asymmetricsecurity-element.. My request needs a usernametoken, binary security tokens
Please suggest .. Thank you

Comment on The simplest SecurityToken / Handler you can write by Dominick Baier

Dominick Baier — Thu, 09 May 2013 09:46:10 +0000

Hi,

please use the issue tracker
https://github.com/thinktecture/Thinktecture.IdentityModel.40/issues

In general I’d recommend using .NET 4.5 since we actively maintain that version.

Comment on The simplest SecurityToken / Handler you can write by Jaymie

Jaymie — Thu, 09 May 2013 09:41:55 +0000

Hi Dominic,
How would you set this up in .Net 4? I seem to get an error stating that Cannot implicitly convert type ‘Microsoft.IdentityModel.Claims.ClaimsIdentity’ to ‘Microsoft.IdentityModel.Claims.ClaimsPrincipal’ not to mention that AddAccessKey is not part of the HttpConfiguration

Comment on UserName SupportingToken in WCF by Dominick Baier

Dominick Baier — Sun, 05 May 2013 18:02:25 +0000

See here
http://leastprivilege.com/archive/

Comment on UserName SupportingToken in WCF by smitha

smitha — Sun, 05 May 2013 16:10:03 +0000

Hi, the link for supportingusernametoken.zip is broken. I need this functionality

Comment on ASP.NET Web API Security: The Thinktecture.IdentityModel AuthenticationHandler by justneedanid

justneedanid — Wed, 01 May 2013 20:15:53 +0000

I was wondering if anyone had examples of using IoC to provide services like the ‘tokenHandler’ above or the ‘ClaimsAuthenticationTransformer’. I imagine a common scenario would use some repository to convert tokens to users/claims but how I wire that in is a bit of a stumper.

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Tue, 30 Apr 2013 17:09:42 +0000

it’s what alows the browser to send the cookie over ajax

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Tue, 30 Apr 2013 17:09:06 +0000

Thank’s a lot Dominick !! It’s ok !
I added this into the 2 ajax request :

xhrFields: {
withCredentials: true
}

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Dominick Baier

Dominick Baier — Tue, 30 Apr 2013 05:37:49 +0000

Sure this is possible. But not built into .NET.

I would recommend to use the JWT token format instead of SWT – SWT is dead.

On Nuget there is a JWT authorization manager for WCF (search for JWT).

Comment on WCF and Identity in .NET 4.5: External Authentication with WS-Trust by Mike

Mike — Mon, 29 Apr 2013 21:55:55 +0000

Dominick,
I have a rich client with a browser plugin from which I get a SWT token, from Azure ACS. I pass the token to the WCF service configured to use WIF, to the claims assigned. The claims is supposed to be assigned via a custom token handler decoding the SWT. I would like to ask if this is at all possible? If so how should the web.config file for the service be configured? It would be great to get a pointer to a sample.
Sorry, the problem is that I’m using .NET 4.5. (samples are hard to find)

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Dominick Baier

Dominick Baier — Mon, 29 Apr 2013 19:50:34 +0000

Brock can help you over here:
http://forums.asp.net/p/1902527/5379095.aspx/1?Re+Form+Authentification+from+external+client+to+WEB+API

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Mon, 29 Apr 2013 18:52:27 +0000

Hi Domick !
I understood my problem !! But I don’t know solve it.

Consider just two event button click and two controller action (a little bit of code ) :
https://gist.github.com/tomadj/7ed5642f65f9329c5ff5

IF the code client is in the same server ( IIs localhost visualstudio 2012 project MVC 4 + webAPI ) run from on a razor page html –> http://localhost:5314/home/index :

1 ) click on “is Authorize ?” button –> return 401 Unauthorized
2 click on “login” button –> return success: true
3) click again on is Authorize ? button –> return OK user is authentificated

however if I call my web api from an other server/site (in my case, a wordpress blog in a html page of this blog ) :

1 ) click on “is Authorize ?” button –> return 401 Unauthorized
2 click on “login” button –> return success: true
3) click again on is Authorize ? button –> RETURN 401 UNAUTHORIZED

I guess :
1- I must get the “context/cookie” in the callback of action login if return true.
2- I must set the “context/cookie” before call again the authorize action

No ?
if is the good solution, can you help me for do that ?

Thank’s again !

Thomas

Comment on About by Andy Cohen

Andy Cohen — Mon, 29 Apr 2013 12:29:26 +0000

Actually I found it in the video itself: http://goo.gl/00Oc2. Thanks.

Comment on Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API by Dominick Baier

Dominick Baier — Mon, 29 Apr 2013 07:17:32 +0000

Reblogged this on www.leastprivilege.com and commented:

An old posts. But since I am writing about AuthenticationHandler..this is still relevant!

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler | www.leastprivilege.com

Mon, 29 Apr 2013 07:04:03 +0000

[...] ← Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHan… [...]

Comment on ASP.NET Web API Security: The Thinktecture.IdentityModel AuthenticationHandler by Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler | www.leastprivilege.com

Mon, 29 Apr 2013 07:04:00 +0000

[...] the pattern from my two previous posts, you can also validate JWTs with a simple extension method over the basic AddMapping [...]

Comment on About by Dominick Baier

Dominick Baier — Mon, 29 Apr 2013 06:00:45 +0000

https://github.com/thinktecture/Thinktecture.IdentityModel.45

Comment on About by Andy Cohen

Andy Cohen — Mon, 29 Apr 2013 02:19:22 +0000

Dominick,

Is the source code available from your video: http://vimeo.com/43603474?

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Fri, 26 Apr 2013 14:36:26 +0000

Ok thank’s Dominick. I will search and learn more on forms authentification.

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Dominick Baier

Dominick Baier — Fri, 26 Apr 2013 14:14:22 +0000

Again – you need to make sure the client sends the cookie after calling login. Then there is nothing else you need to do.

Please read up on cookies and how forms authentication is supposed to work. Otherwise I can’t help you.

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Fri, 26 Apr 2013 12:14:54 +0000

Ok thank’s ! I can’t test now at work but this evening I will try to remove basic auth and just keep form auth.

Server side :
- In the LogUser Action, if the user is validate I set the AuthCookie with : FormsAuthentication.SetAuthCookie(user.Login, true);

I remove just the lines : authentication.AddBasicAuthentication((username, password)
=> Membership.ValidateUser(username, password)); in AuthenticationConfiguration ?

And client side, must be added in the header of the ajax request to the [Autorize] action the cookie. How can I do that ?

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Dominick Baier

Dominick Baier — Fri, 26 Apr 2013 09:29:27 +0000

Using forms authentication might be totally enough here, if the cookie is successfully set (and also sent by the Ajax calls), we don’t need Basic Authentication. But you need to verify that.

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by tomadj2

tomadj2 — Fri, 26 Apr 2013 08:14:58 +0000

Yes, I’m a little lost between auth basic auth and form and what for me thinktecture.
So, to answer your questions :

1) I think not, because I remove FormsAuthentication.SetAuthCookie(user.Login, true);
I thought you told me that it’s for form based auth.

2) For round-trip, I don’t understand. :(

So, already, is that we agree on the method? me I have to, in my case (webapi), the basic auth and not form based auth ?

I read again your post http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/

effectively, in the sample, in the client , there are :
client.DefaultRequestHeaders.Authorization =
new BasicAuthenticationHeaderValue(“alice”, “alice”);

Me, I must do the equivalent in my ajax request to the authorize action ?? .

and also, for the time being, my action LogUser return just true if the user is validate. it is at this level that I need to do something else ? (in reference to the round trip maybe ?)

Comment on Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler by Dominick Baier

Dominick Baier — Fri, 26 Apr 2013 05:53:49 +0000

So the question would be –

- Is the forms auth cookie being set when you call the login method?
- Is it round-tripped from that point on?