ACS Plaintext Token Requests - Add additional parameters.

Question

Hi,

I am following this guide on MSDN:

http://msdn.microsoft.com/en-us/library/windowsazure/ee706734.aspx

It says you can add additional parameters:

 

I am trying to add additional parametrs like so:

 

WebClient client = new WebClient();
client.BaseAddress = string.Format("https://mysnservice.accesscontrol.windows.net");

NameValueCollection values = new NameValueCollection();
values.Add("wrap_name", "mysncustomer1");
values.Add("wrap_password", "5znwNTZDYC39dqhFOTDtnaikd1hiuRa4XaAj3Y9kJhQ=");
values.Add("wrap_scope", "http://mysnservice.com/services");
values.Add("myparameter","myvalue"); //Aditional parameter.

// WebClient takes care of the URL Encoding
byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);

// the raw response from AC
string response = Encoding.UTF8.GetString(responseBytes);

 

I also configured the Rule Group to pass this paramter.

But the response doesn't contain my parameter.

Maybe it's the Rule Group that is not defined properly ?

It would be great if someone could share the code and Rule Group configurations needed for this.

 

Edit:

After banging my head about this for a day , I also tried the Signed Token Request :

 

WebClient client = new WebClient();
Uri getTokenEndpoint = new Uri("https://mynamespace.accesscontrol.windows.net/WRAPv0.9/");
NameValueCollection data = new NameValueCollection();
data.Add("wrap_scope", "http://localhost:2333/myservice.svc");
data.Add("wrap_assertion_format", "SWT");
data.Add("wrap_assertion", "MyParamter=myvalue&Issuer=issuername&HMACSHA256=4u5pVC25XpDaolNH7EZMssffdt%fdsJtNwZtapie%f");        
//I am adding MyParamter.               
var bytes = client.UploadValues(getTokenEndpoint, "POST", data);
string response = Encoding.UTF8.GetString(bytes);

 

This also produce the same results : only the default claims appear in the response. MyParamter is missing.

My Rule Group has one Rule which is Passthrough to all, if it's any help.

Also, just noticed that this tutorial sits under Access Control Service 1.0 . Could it be that it's not updated ?

 

Answer 1

Hi,

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.

Appreciate your patience.

 

Best Regards,

Ming Xu.

---

Please mark the replies as answers if they help or unmark if not.
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework

Answer 2

Thank you for your reply.

Eagerly waiting for a solution on this one (-:

Answer 3

Hi,

I just tested it and it seems is working fine. Below is the Role in my test:

 

And below is the code I used to fetch the token:

   private static string GetTokenFromACS()
        {
            // request a token from ACS
            WebClient client = new WebClient();
            client.BaseAddress = string.Format("https://{0}.{1}", serviceNamespace, acsHostName);

            NameValueCollection values = new NameValueCollection();
            values.Add("wrap_name", "gettingstartedissuer");
            values.Add("wrap_password", issuerKey);
            values.Add("wrap_scope", "http://localhost/ACSGettingStarted");
            values.Add("customA", "a");
            byte[] responseBytes = client.UploadValues("WRAPv0.9/", "POST", values);

            string response = Encoding.UTF8.GetString(responseBytes);

            Console.WriteLine("\nreceived token from ACS: {0}\n", response);

            return response
                .Split('&')
                .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                .Split('=')[1];
        }

Finally below is the returned token:

outputAllen%3dhi%26Issuer%3dhttps%253a%252f%252fallenc.accesscontrol.windows.net%252f%26Audience%3dhttp%253a%252f%252flocalhost%252fACSGettingStarted%26ExpiresOn%3d1326687997%26HMACSHA256%3d%252bQL6W5vqmUQKsigzlEH3Wejxmlqiy%252fqYM8AaNKPmiK4%253d

 

Please check your rule configuration to make sure it's set properly.

---

Allen Chen [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 4

Thank you for the detailed reply.

Unfortunately, I still can't get it to work. I will explain in details my configuration on which I am testing.

I defined a Relying Party and a  Service Identity like so :

This is the code that requests the token :

WebClient client = new WebClient();
Uri getTokenEndpoint = new Uri("https://****.accesscontrol.windows.net/WRAPv0.9/");
NameValueCollection data = new NameValueCollection();
data.Add("wrap_name", "myserviceidentity");
data.Add("wrap_password", "mypassword");
data.Add("wrap_scope", "http://localhost:2333/service.svc"); 
data.Add("myparameter","myvalue");
var bytes = client.UploadValues(getTokenEndpoint, "POST", data);
string response = Encoding.UTF8.GetString(bytes);    

Answer 5

I found a solution. I've changed the Issuer of the rule to match the Name of the service identity.

 

ManagementService mgmtSvc = ManagementServiceHelper.CreateManagementServiceClient();
var rule = mgmtSvc.Rules.Where(r => r.Description == "A pass-through rule for all the additional parameters").Single();
Issuer issuer = mgmtSvc.GetIssuerByName("myserviceidentity");
rule.Issuer = issuer;
mgmtSvc.SetLink(rule, "Issuer", issuer);
mgmtSvc.SaveChanges();

 

So this is the rule before the change:

And this is after:

 

Can someone confirm that this is a valid solution ?

Answer 6

Yes the issuer should match the issuer defined in rule configuration or else ACS cannot find the rule for that issuer.

---

Allen Chen [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 7

I hope this will be fixed , because right now it gives an error when trying to view the rule. It only supports settings the Claim issuer to Access Control or one of the built in providers , and also the ACS Management Browser is not supported anymore. The only way to set it to a cutom Issuer is by code.

Answer 8

Yaron,

You're mixing ACSv1 documentation with ACSv2, which is why you're having problems. ACSv2 is backwards compatible for these types of configurations, meaning that that adding additional claims over WRAP as you have done will work. However, these configurations aren't supported in the portal and can only be configured via the management service as you have done.

Answer 9

We have a similar problem and I tried to resolve it using the ACS management API as you have done above. However, it doesn't work because the service identity isn't in the list of issuers available, thus the line above mgmtSvc.GetIssuerByName("ourserviceidentityname") returns null. Any idea why this is? The only available Issuers in mgmtSvc.Issuers are Windows Live and Local Authority. The service identity isn't present so the code above won't work.

Answer 10

We have a similar problem and I tried to resolve it using the ACS management API as you have done above. However, it doesn't work because the service identity isn't in the list of issuers available, thus the line above mgmtSvc.GetIssuerByName("ourserviceidentityname") returns null. Any idea why this is? The only available Issuers in mgmtSvc.Issuers are Windows Live and Local Authority. The service identity isn't present so the code above won't work.

Try adding an issuer with the same name as your service identity.

Answer 11

Excellent, thanks Oren, adding an issuer with same name of our service identity was what was needed.

ManagementService mgmtSvc = ManagementServiceHelper.CreateManagementServiceClient();
Issuer issuer = new Issuer() { Name = "ourserviceidentityname" };
mgmtSvc.AddToIssuers(issuer);
mgmtSvc.SaveChanges();