none
Handling Binary(Jwt) tokens in WCF pipeline for active federation clients RRS feed

  • Question

  • Hi all,

    I'm new here and I'm also kinda new in WCF.

    I'm working in client application (.net 4.5) that needs to authenticate on custom STS using issued token.

    I was able to get a SAML2 token from the ADFS, and now I need to exchange it with the customer STS for JWT token.

    Actually I don't need to get claims out of that token, I only need the token itself.

    I'm sending the RST to STS in the following way:

    var customBinding = StsServiceBinding();
    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(customBinding, serviceEndPoint);
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13; trustChannelFactory.Credentials.SupportInteractive = false;
    var channel = trustChannelFactory.CreateChannelWithIssuedToken(issuedToken);
    var rst = new RequestSecurityToken{
    RequestType = RequestTypes.Issue,
    AppliesTo = new EndpointReference(realm),
    KeyType = KeyTypes.Bearer,
    TokenType = "urn:ietf:params:oauth:token-type:jwt",
    };
    RequestSecurityTokenResponse rstr;
    var token = channel.Issue(rst, out rstr);
    var tokencode = rstr.RequestedSecurityToken.SecurityTokenXml.OuterXml;

    And getting the exception:

    Cannot read KeyIdentifierClause from element 'Reference' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'.
    Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples.

    As I understand WCF stack can't handle returned token, the question what would be a proper way to add a custom token handler  from code or may be other workaround.

    Thank you


    Wednesday, June 29, 2016 4:06 PM

Answers

  • Hi

    Thank you for links. My flow is different but blog post code is really interesting.

    I find out the cause of failure (not completely).

    When receiving the jwt token from sts there were additional entries in response:

    <ns2:RequestedAttachedReference>
     <ns4:SecurityTokenReference>
      <ns4:Reference URI="#344e4c44-8972-472d-bccf-07ea23ac14b7" ValueType="urn:ietf:params:oauth:token-type:jwt"/>  
     </ns4:SecurityTokenReference>
    </ns2:RequestedAttachedReference>				

    the namespace for ns4 is

    xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

    I don't know yet why it causes the error:

    Cannot read KeyIdentifierClause from element 'Reference' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'.
    Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples.

    But as soon I removed it from RSTR, the while WCF stack started to work.

    • Marked as answer by Xunter Wednesday, July 13, 2016 1:33 PM
    Wednesday, July 13, 2016 1:32 PM

All replies

  • you can try to  implement your own WCF pipeline hook (IDispatchMessageInspector) to get the token from HTTP header and then use the JWT classes to set your claims.
    Refer here : http://blogs.msdn.com/b/pavelkhodak/archive/2013/07/26/enable-http-bearer-jwt-token-authentication-for-rest-service-using-webhttpbinding-in-wcf.aspx
    Friday, July 1, 2016 4:20 PM
  • thank you, the problem is that jwt token is received within soap message and not in the header.

    <ns3:RequestSecurityTokenResponseCollection xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802">

    <ns3:RequestSecurityTokenResponse>
    <ns3:TokenType>urn:ietf:params:oauth:token-type:jwt</ns3:TokenType>
    <ns3:RequestedSecurityToken>
    <TokenWrapper xmlns="">eyJ0eXAiOiJKV1MiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI5MDNiM2M0NjU0ZTFkNTljMDE1NGUxZTEyMTIzMDAwMCIsInJlZnJlc2hfdG9rZW4iOiJvbThlUUYwNnpvZVRteXJyODhhdHBrakVyZTNhdHViUGtTcWlTdUp0RzdncWZHNzV5ajJFemRXZzFzM1FDODFFSVJLMlg2T2VSYkNUd09uUTkyL21RdmJ3SmlZMTNjRzVIczZocjYra1lPU2d1cmQvbE9UTG5UdEtYNkk1Y2dPUTRWQ3p0MFpiQ0NMK1BpNHRleGxSZ2trb3ArMitIbEVybFNlY2oxQ1F3MDFGck5OcGkrSklacG9EVG9TMmx0V1ZwbzZSb05wOFZLcUcxTHp2RkhnaEJ4ZFN1T0tUVjFPb0NKdjdLT1huTzFkVkhORkpzeXBLWW9RdHFEVVkydWdsN0RhQUFKN1UwYXJxb0FYbHZXNkRqOWkwVFpQMU1WSy9LWmFUaEpLV3J2RE41QThaelFZL3BMeUFZRDJZQUxhR2dGOHZwemI5OExxZm1WZDh1bE1aMVdVWitDTEdMSGxzSWkyUDRFYmtZVWNXUkNrVXlGWWxvcEx4TmpmdkhmdDF5Q2R4UGlMVHMrVkJwRkg5aGh5K2pNT3JXamJFVW16UU1MVzgzdUdTRTlqNGxyVXVacHRWT21LcWIrRkJpWWoyTENmeXRoVFNzYnBRUms1VWpqWk9qNExUREZmNFRMVzlGYmV3aEJROFU4QT0iLCJpc3MiOiJJZE0gMS4xMC4wLWJ1aWxkLjU4OSIsImNvbS5ocGUuaWRtOnRydXN0b3IiOm51bGwsImV4cCI6MTQ2NzA2Njg5NiwiY29tLmhwLmNsb3VkOnRlbmFudCI6eyJpZCI6ImZmODA4MDgxNDgxMmUyMmIwMTQ4MTMwMGFiMGQwMDAyIiwibmFtZSI6IkNPTlNVTUVSIiwiZGVzY3JpcHRpb24iOiJDb25zdW1lciIsImVuYWJsZWQiOnRydWV9LCJwcm4iOiJ6aGFuZyIsImlhdCI6MTQ2NzA2NjYxNCwianRpIjoiZWQ5MWU4ZWQtMDk0ZS00OWE0LThiZGMtNWY2ZjVjMTQ2YWJjIn0.cLR9gb9-B03Nu3Ho1HwHwDGoeR4MRvEnN6nOaZT8eRc</TokenWrapper>
    </ns3:RequestedSecurityToken>
    <ns3:RequestedAttachedReference>
    <ns2:SecurityTokenReference>
    <ns2:Reference URI="#ed91e8ed-094e-49a4-8bdc-5f6f5c146abc" ValueType="urn:ietf:params:oauth:token-type:jwt"/>
    </ns2:SecurityTokenReference>
    </ns3:RequestedAttachedReference>
    <ns3:RequestedUnattachedReference>
    <ns2:SecurityTokenReference>
    <ns2:Reference URI="ed91e8ed-094e-49a4-8bdc-5f6f5c146abc" ValueType="urn:ietf:params:oauth:token-type:jwt"/>
    </ns2:SecurityTokenReference>
    </ns3:RequestedUnattachedReference>
    <wsp:AppliesTo xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsa:Address>some url</wsa:Address>
    </wsa:EndpointReference>
    </wsp:AppliesTo>
    <ns3:Lifetime>
    <ns1:Created>2016-06-27T22:30:14.801Z</ns1:Created>
    <ns1:Expires>2016-06-27T22:35:14.801Z</ns1:Expires>
    </ns3:Lifetime>
    </ns3:RequestSecurityTokenResponse>
    </ns3:RequestSecurityTokenResponseCollection>

    Sunday, July 3, 2016 10:59 AM
  • If so, you can see this:
    https://msdn.microsoft.com/en-us/library/ms731872(v=vs.110).aspx
    And this:
    https://yorkporc.wordpress.com/2014/04/11/client-side-of-wcf-using-jwt-for-bearer/

    Friday, July 8, 2016 4:32 AM
  • Hi

    Thank you for links. My flow is different but blog post code is really interesting.

    I find out the cause of failure (not completely).

    When receiving the jwt token from sts there were additional entries in response:

    <ns2:RequestedAttachedReference>
     <ns4:SecurityTokenReference>
      <ns4:Reference URI="#344e4c44-8972-472d-bccf-07ea23ac14b7" ValueType="urn:ietf:params:oauth:token-type:jwt"/>  
     </ns4:SecurityTokenReference>
    </ns2:RequestedAttachedReference>				

    the namespace for ns4 is

    xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

    I don't know yet why it causes the error:

    Cannot read KeyIdentifierClause from element 'Reference' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'.
    Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples.

    But as soon I removed it from RSTR, the while WCF stack started to work.

    • Marked as answer by Xunter Wednesday, July 13, 2016 1:33 PM
    Wednesday, July 13, 2016 1:32 PM