none
Claims Aware WCF Service with JSON Endpoint RRS feed

  • Question

  • Hi all,

    I am attempting to get a Claims Aware WCF service which has a JSON endpoint secured. 

    I started with the sample which I found here : http://code.msdn.microsoft.com/Claims-Aware-Web-Service-1d55facc.  I can see the claims working properly from the default provided code.  The user gets authenticated and the claims come through. 

     I have tried altering the sample so that the service is JSON enabled by decorating the method with [WebGet(BodyStyle=WebMessageBodyStyle.Bare, ResponseFormat=WebMessageFormat.Json, UriTemplate="json/{input}")].  I've also done the necessary changes in the web.config and I can call the JSOn endpoint successfully.  However, this change means that the claims are not coming through.  I have added a new endpoint in web.config  <endpoint name="jsonEP" address="" binding="webHttpBinding" behaviorConfiguration="json" contract="ClaimsAwareWebService.IJSONClaimsAwareWebService" /> and then added a behavior like this :

    <endpointBehaviors>
            <behavior name="json">
              <webHttp />
            </behavior>
          </endpointBehaviors>

    I assume that now that I have done this I am no longer using the ws2007FederationHttpBinding which is in the web.config and that's why the claims are not working anymore.  Can anybody explain how I can get a claims based wcf rest service working (ultimately I want this to work against ADFS)?  What do I need to do?

     

    Thanks

    CECrawford

    Tuesday, October 22, 2013 2:45 AM

Answers

  • Hi CECrawford,

    Based on my understanding, using a JSON endpoint means you're no longer working with a SOAP service (SOAP has to use a specific xml format). So WS-Federation (default WIF configuration) will no longer work since WS-Federation relies on SOAP. However, you can use OAuth, which is supported by the latest version of ADFS. And you can still use claim based authorization, but the programming model is a bit different. You may want to check http://blogs.msdn.com/b/mrochon/archive/2013/10/04/oauth2-with-adfs-and-waad-using-c.aspx for a sample on using OAuth to secure an ASP.NET Web API service using ADFS. To support JSON and REST, it is recommended to upgrade to ASP.NET Web API if possible, but if you need to use WCF, then a similar approach would work for you.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 23, 2013 3:09 PM
  • Hi,

    According to the announcement on http://blogs.technet.com/b/ad/archive/2013/07/10/extending-device-support-in-active-directory.aspx, we need to use Windows Server 2012 R2. Thus, Windows server 2008, even Windows Server 2012 is insufficient. In earlier versions of ADFS, it is needed to use an intermediate STS, such as Windows Azure ACS, to enable OAuth. You may want to check http://msdn.microsoft.com/en-us/library/hh446531.aspx for a sample.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, October 25, 2013 3:21 AM

All replies

  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 23, 2013 5:36 AM
    Moderator
  • Hi CECrawford,

    Based on my understanding, using a JSON endpoint means you're no longer working with a SOAP service (SOAP has to use a specific xml format). So WS-Federation (default WIF configuration) will no longer work since WS-Federation relies on SOAP. However, you can use OAuth, which is supported by the latest version of ADFS. And you can still use claim based authorization, but the programming model is a bit different. You may want to check http://blogs.msdn.com/b/mrochon/archive/2013/10/04/oauth2-with-adfs-and-waad-using-c.aspx for a sample on using OAuth to secure an ASP.NET Web API service using ADFS. To support JSON and REST, it is recommended to upgrade to ASP.NET Web API if possible, but if you need to use WCF, then a similar approach would work for you.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 23, 2013 3:09 PM
  • Hi Ming,

    Thanks for your reply.  I am willing to explore what you have suggested.  However, I have a question first.  Does ADFS2.0 running on Windows 2008 R2 support OAuth?  I suspect that we have to use Windows Server 2012 to get the OAuth support. Is that correct?

    Thanks

    CECrawford

    Wednesday, October 23, 2013 10:58 PM
  • Hi,

    According to the announcement on http://blogs.technet.com/b/ad/archive/2013/07/10/extending-device-support-in-active-directory.aspx, we need to use Windows Server 2012 R2. Thus, Windows server 2008, even Windows Server 2012 is insufficient. In earlier versions of ADFS, it is needed to use an intermediate STS, such as Windows Azure ACS, to enable OAuth. You may want to check http://msdn.microsoft.com/en-us/library/hh446531.aspx for a sample.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, October 25, 2013 3:21 AM