none
Oauth2 and BizTalk WCF-webhttpbinding Receive RRS feed

  • Question

  • Hi all

    I am trying to implement OAuth2.0 for a two way (request-response) receive location which has webhttpbinding (using WCF-Webhttp adapter). 

    I did implement a IDispatchMessageInspector to inspect and validate the token, now my problem is with by passing publishing the message to the message box in case the token provided is null or empty. I want to respond to the client immediatley with a custom message (not throwing an exception). there is an approach on how to do it using a custom WCF behavior by implementing IEndpointBehavior, IOperationBehavior . but it looks like ApplyDispatchBehavior is being overriden by the webhttpbehavior...... 

    I used an answer provided in the following post:

    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/2eb8a4b6-307e-4094-8841-1e351d662526/idispatchmessageinspectorafterreceiverequest-bypass-service-call-and-return-manually-response?forum=wcf

    but the ApplyDispatchBehavior  method is not called when i test 

    your help is much appreciated


    Regards, Mazin - MCTS BizTalk Server 2006


    Wednesday, August 16, 2017 12:54 PM

All replies

  • Unfortunately, what you're trying to do is pretty complicated with WCF.  So first, a couple of questions...

    Do you really need to use OAuth?  It add a lot of complexity for no meaningful benefit.  If an option, Certificates are always (well, 99% or the time) a better option, even basic over TLS is preferable in most cases.

    Next, why can't you response with a 401? Using a custom message also adds unnecessary complication.

    Wednesday, August 16, 2017 1:52 PM
    Moderator
  • Hi John

    We have to use OAuth. we will be offering soon a mobile application on both Android and IOS, which will connect publically to our receive location (which should have an OAuth authentication mechanism). My issue is not with OAuth authentication it self (because i have already implemented the required classes to authenticate).  my issue is just to how to bypass calling the actuall WCF Rest Operation when the token is invalid (or lets say empty). 

    My code where i am checking the token is currently in the AfterReceiveRequest method. I can probably throw a Forbidden exception, but then will need to write a custom error handler which I found on the following link. when an exception is thrown at that stage, the message is not published in BizTalk.

    https://blog.tallan.com/2014/09/29/wcf-webhttp-and-custom-json-error-messages/

    I am doing this at the moment so hopefully this will solve my problem. unless you have other thoughts?

    regards,


    Regards, Mazin - MCTS BizTalk Server 2006

    Wednesday, August 16, 2017 2:14 PM
  • Maybe consider something totally different since you're using a mobile app.

    You can use Azure API Management to front you BizTalk app and secure the external endpoint using OAuth.

    Example: https://channel9.msdn.com/Blogs/AzureApiMgmt/Protecting-Web-API-Backend-with-Azure-Active-Directory-and-API-Management

    Wednesday, August 16, 2017 4:56 PM
    Moderator
  • My first consideration was in fact to use API Management.. however, i was faced with many challenges:

    1- All our servers are on-premise, We do not have an Azure AD account. and it will be a complicated task to migrate it to Azure. is there a way to implement OAuth without using Azure AD account and use the on-premise login information?

    2- I found that by using API management, the subscription key for API management will need to be hardcoded in the mobile app somewhere (Keychain, shared references) and is not ideal if the subscription key was change (even accidently) which will mean that we will need to push a new update to the app

    3- the number of calls allowed per minute is throttled and there is a limit in API management so how would that work with using one subscription key for all mobile connections

    4- We have to make a study around cost as well, as per my knowledge, API management is costed per transaction. but in order for the solution to work with BizTalk WCF Relay, we need service bus, AD and APIM. So i am not sure if that is a cheap option.

    could you please comment roughly on the four above points?

    also what do you find not suitable in the approach i am undertaking?

    we are using BizTalk 2016. we are thinking to use Reverse Proxy mechanism to secure our BizTalk server

    regards,


    Regards, Mazin - MCTS BizTalk Server 2006

    Wednesday, August 16, 2017 7:08 PM
  • I'm curious, what direction did you take with your mobile app? We are also gearing up to write a mobile app and using BizTalk

    Let me know thanks

    Wednesday, November 13, 2019 5:05 PM
  • 1- All our servers are on-premise, We do not have an Azure AD account. and it will be a complicated task to migrate it to Azure. is there a way to implement OAuth without using Azure AD account and use the on-premise login information?

    -- This is not a problem as such. Your servers are on-Prem still you can communicate with APIM and On-Prem BizTalk using SB or LOgicApp adapter. If Azure AD accounts are not there its not an issue as well. FOr OAuth in APIM you can register AAD apps. It works with app registrations/

    If you want it to be your AD user based, then you will have to have the AD to AAD sync in place.

    2- I found that by using API management, the subscription key for API management will need to be hardcoded in the mobile app somewhere (Keychain, shared references) and is not ideal if the subscription key was change (even accidently) which will mean that we will need to push a new update to the app

    -- You need subscription key, but its not mandatory. You can have ur API with OAuth only with out any subscription key. 

    3- the number of calls allowed per minute is throttled and there is a limit in API management so how would that work with using one subscription key for all mobile connections

    -- Not true. The limitation is put on API via policies. The limit on APIM itself is unit retricted like for premium its 4000 req/sec/unit. SO you can scale up the units for the load.

    4- We have to make a study around cost as well, as per my knowledge, API management is costed per transaction. but in order for the solution to work with BizTalk WCF Relay, we need service bus, AD and APIM. So i am not sure if that is a cheap option.

    - Cost will be ok. YOu can go for a tier below primium to start with. That will cost around 600 per month. The APIM is charged per hour.

    But having the solution this way will be future ready and then you can plan moving the back end to cloud as well in due course. 


    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/


    Thursday, November 14, 2019 3:01 PM
    Answerer