none
Query a Security Token Service with a WCF Client RRS feed

  • Question

  • I am developing a WCF client that must query a service (made with the WSO2 platform) that issues security token. When a client authenticates to the service with username and password, it should recieve a token to use for successive authentication.

    I have tried to made a simple console application to query the service. I added a service reference to the project and almost immediatly I have encounterd problems. The system provided CustomBinding needs to be properly configured and I cannot find how.

    Searchin many forums and communities I found a sample SOAP request that can be sent to the service to abtain a response. The working request (tested with SoapUI) should be like the following:

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
      <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:UsernameToken wsu:Id="UsernameToken-6D35592DCDDA26FFF3141578725699577">
            <wsse:Username><!--USERNAME HERE--></wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"><!--PASSWORD HERE--></wsse:Password>
          </wsse:UsernameToken>
          <wsu:Timestamp wsu:Id="TS-6D35592DCDDA26FFF3141578725699576">
            <wsu:Created>2014-11-12T10:14:16.995Z</wsu:Created>
            <wsu:Expires>2014-11-12T10:16:16.995Z</wsu:Expires>
          </wsu:Timestamp>
        </wsse:Security>
        <wsa:Action soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
        <wsa:MessageID soap:mustUnderstand="1">uuid:6d4eab69-77f9-42b7-8d6b-1f710020fb0b</wsa:MessageID>
        <wsa:To soap:mustUnderstand="1"><!--STS ENDPOINT ADDRESS HERE--></wsa:To>
      </soap:Header>
      <soap:Body>
        <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
          <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
          <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
          <wst:Claims>
            <wsid:ClaimType Uri="http://wso2.org/claims/userid" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
          </wst:Claims>
        </wst:RequestSecurityToken>
      </soap:Body>
    </soap:Envelope>

    I have enabled WCF tracing and I have tried to configure many binding types to obtain a request like the working one. The closest to the target was obtained with a wsHttpBinding configured like this:

          <wsHttpBinding>
            <binding name="SendUsername"  messageEncoding="Text">
              <security mode ="TransportWithMessageCredential">
                <message clientCredentialType ="UserName"/>
                <transport clientCredentialType ="Basic" />
              </security>
            </binding>
          </wsHttpBinding>

    However the generated request is still missing Claims element.

    Anyone can help me to properly configure a binding?

    Friday, November 14, 2014 3:56 PM

All replies

  • Hi,

    For this scenario, the endpoint consists of an address, a binding, and a contract. The binding is configured with a standard wsHttpBinding that defaults to using WS-Securityand username authentication.

    Here is an example for using a User Name Password Validator, which you could refer to and check other settings:

    http://msdn.microsoft.com/en-us/library/vstudio/aa354513(v=vs.100).aspx

    For more information, you could refer to:

    http://msdn.microsoft.com/en-us/library/ee748498.aspx

    http://msdn.microsoft.com/en-us/library/ff647503.aspx

    Regards

    Monday, November 17, 2014 6:11 AM
    Moderator
  • Thanks for the useful links. Somehow they help me to realize that I was entirely misunderstanding my binding configuration.

    Now I am able to obtain a request that is totally similar to the one that is working in SoapUI, but my WCF client still gets errors from the STS service.

    Reading thru the provided links I realized I need to implement a federation scenario with a bit of custom tweaking. So I tried a different approach resulting in a strange error.

    I used the following configuration settings for my client:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.serviceModel>
        <bindings>
          <customBinding>
            <binding name="contextSoap12Binding">
              <textMessageEncoding messageVersion="Soap12"/>
              <security authenticationMode="IssuedToken"  includeTimestamp="True" securityHeaderLayout ="Lax">
                <issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
                  <issuer address ="<!-- STS ADDRESS HERE -->" binding="customBinding" bindingConfiguration ="StsBinding"/>
                  <claimTypeRequirements>
                    <add claimType="http://wso2.org/claims/userid" />
                  </claimTypeRequirements>
                </issuedTokenParameters>
              </security>
              <httpsTransport />
            </binding>
            <binding name="StsBinding">
              <textMessageEncoding messageVersion="Soap12WSAddressing10"/>
              <security authenticationMode="UserNameOverTransport" includeTimestamp ="true" keyEntropyMode ="ServerEntropy" securityHeaderLayout ="Lax" >
              </security>
              <httpsTransport authenticationScheme ="Basic"></httpsTransport>
            </binding>
          </customBinding>
        </bindings>
        <client>
          <endpoint address="<!-- SERVICE ADDRESS HERE -->"
              binding="customBinding" bindingConfiguration="contextSoap12Binding"
              contract="ContextService.contextPortType" name="contextHttpsSoap12Endpoint" />
        </client>
    
    </configuration>

    When I issue a request using the above configuration I get an error stating something like that:

    HTTP request cannot be authorized with 'Basic' authentication scheme. Service authentication header is "BASIC realm='WSO2 Enterprise Service Bus'"

    What can be done to avoid the above error?

    Tuesday, November 18, 2014 4:03 PM
  • Hi,

    Each authenticate header contains a supported authentication scheme and, for the Basic and Digest schemes, a realm. If multiple authentication schemes are supported, the server returns multiple authenticate headers. The realm value is case-sensitive and defines a set of servers or proxies for which the same credentials are accepted. For example, the header "WWW-Authenticate: Basic Realm="example"" might be returned when server authentication is required. This header specifies that user credentials must be supplied for the "example" domain.

    An HTTP application can include an authorization header field with a request it sends to the server. The authorization header contains the authentication scheme and the appropriate response required by that scheme. For example, the header "Authorization: Basic <username:password>" would be added to the request and sent to the server if the client received the response header "WWW-Authenticate: Basic Realm="example"".

    More info:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144(v=vs.85).aspx 

    Wednesday, November 19, 2014 2:27 AM
  • OK the error message I am getting is self-explanatory and it seems to be connected to HTTP headers authentication. But request sent with Soap UI works with or without authentication headers.

    I am completely lost.

    Wednesday, November 19, 2014 9:48 AM
  • That's incredible! The exception I was getting with the above configuratione was masking the real problem I was experiencing.

    After installing fiddler to monitor incoming and outgoing traffic I finally see that I was getting an answer (a fault) from the STS stating "wrong password type". To avoid this error I set messageSecurityVersion in the StsBinding configuration and I finally got my token.

    Now I need to figure out how to avoid the SecurityNegotiation exception I get stating that the response message containing the token has a wrong Action.

    Wednesday, November 19, 2014 4:45 PM
  • Hi,

    Can you show us the detailed error meassge here?

    If the error message is "The negotiation security message has the wrong action", you could refer to the following link for more information:

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/6c838f7e-f72f-4fdd-827d-b29c61522aa0/wrong-action-httpdocsoasisopenorgwssxwstrust200512rstrissue?forum=wcf

     

    Thursday, November 20, 2014 5:24 AM
  • I am reading thru the provided link. In the meantime I can confirm that this is the error that I am getting.

    The complete text is "The negotiation security message has the wrong action 'urn:IssueTokenResponse'"

    Thursday, November 20, 2014 9:05 AM