none
.Net 4.5, RESTful WCF, WIF and JWT (or any other custom token handler) - how to get it working? RRS feed

  • Question

  • Hello All,

    .Net 4.5 WCF allows for plugging WCF into WIF pipeline using web.config behavior switch: <serviceCredentials useIdentityConfiguration="true"/>

    I think it should be quite simple to configure WCF authentication/authorization using any custom token handler like this one: http://msdn.microsoft.com/en-us/library/dn205065(v=vs.110).aspx (Microsoft JWT implementation), without writing custom http handlers, modules, extensions etc.

    However, after two days of Googling I found no single complete example of proper configuration WCF RESTful application while MSDN documentation is rather scant. Maybe this feature can be used for SOAP header tokens only, that is, no webHttpBinding?

    The only related example I found (by Pavel Khodak) suggest writing custom behaviorExtension, which does not seem to be exactly in line with what MS architects probably intended.

    Can WCF-WIF integration be used for authentication with tokens transmitted as http Authentication header, rather than SOAP message header?

    Thank you for any pointers.

    Thomas


    • Edited by Thomas D J Monday, January 5, 2015 1:32 PM
    Friday, January 2, 2015 4:08 PM

All replies

  • You won't find many samples with OAuth implementation over SOAP services. OAuth was created primarily for clients that could not handle SOAP and its associated WS-Security complexity.

    Although  not common, it is still possible, you just need to implement your own WCF pipeline hook (IDispatchMessageInspector) to get the token from HTTP header and then use the JWT classes to set your claims.

    I have not used this code sample, but it looks like it will do what you want. http://blogs.msdn.com/b/pavelkhodak/archive/2013/07/26/enable-http-bearer-jwt-token-authentication-for-rest-service-using-webhttpbinding-in-wcf.aspx


    Vote if help you

    Monday, January 5, 2015 6:27 AM
  • Thank you,

    the point is in this case I do NOT want to use SOAP at all - just WCF, webHttpBinding POX or JSON, token in standard http Authorization header.

    Do you mean that useIdentityConfiguration switch simply does not work with webHttpBinding binding? Maybe tokens are being read from SOAP headers only?

    Why would it work with certain bindings only? This does not seem right.

    Abstract SecutityTokenHandler class seems to be designed to handle non-xml tokens as well - CanReadToken() and ReadToken() methods have versions taking string argument, rather than XmlReader.

    I found no explanation if/why/when those methods are called.

    I explicitly indicated I was familiar with Pavel Khodak's solution you propose and explained why it was not what I was looking for. His solution is based on IDispatchMessageInspector and custom ServiceBehavior/BehaviorExtensionElement. I am not convinced this is the usage pattern MS architects had in mind introducing useIdentityConfiguration property.

    My goal is to set some company standards, find out how to simply reconfigure our WCF applications, not just to get it somehow working. Otherwise, creating a custom http module would take me not much longer than writing this post.


    • Edited by Thomas D J Wednesday, January 7, 2015 11:15 AM
    Monday, January 5, 2015 1:48 PM
  • Monday, January 5, 2015 7:50 PM
  • Oops, you are in the WCF forum. I am just back from the long holidays of being off from work and everything else! :)
    Monday, January 5, 2015 7:52 PM