What is the use of Default Issuer and Default Key in Windows Azure Service Bus? Does the key need to be secured?

0
votes

We have created a downloading client-service model application in which a WCF service is hosted on one of our servers and the client application is distributed among the partners. Partners are provided with unique pin using which they can authenticate themselves with the WCF service and can place requests for downloading to the WCF Service.

The clients connect to the WCF Service through Windows Azure Service Bus within which we have created a namespace using which client applications can connect to the service. Every namespace has a Default Issuer and Default Key. We have embedded this Default key in our code when connecting to the service bus. Somebody told me that the key needs to be secured and you need to get the application signed in order to protect the embedded key. Is that true?

Do we really need to secure this key? If yes then how? and Is there a way we can simply provide authentication in Service Bus which identifies the clients from their pins and and allows only a set of people to access the service bus namespace? OR I'm uselessly getting worried on such points? :)

We are using Service Bus Relay. I have been reading about SAS and ACS and it seems according to the documentation that SAS is not supported for Relays. Following is the link: "Support for Service Bus relays will be added in the near future." http://msdn.microsoft.com/en-us/library/windowsazure/dn170477.aspx

I am unable to understand how to use ACS for authenticating clients. The information provided in the Windows Azure documentation are all bouncers for me and I can not relate them to anything no matter how hard I try.

If somebody has any information for my concerns then please help me with proper links and guidance.

Thanks!

EDIT!!! I have been searching on this and the following link provides a methodology for creating an unauthenticated client: http://msdn.microsoft.com/en-us/library/microsoft.servicebus.nettcprelaybinding.aspx

by using following tag in my client App.Config

<security relayClientAuthenticationType="None" />

I have tried this, but getting the below error: "Generic: There was an authorization failure. Make sure you have specified the correct SharedSecret, SimpleWebToken, SharedAccessSignature, or Saml transport client credentials. MissingToken: Relay security token is required."

I'm looking more about this error. But few questions arise. If we make the azure service bus accessible without authentication, can somebody simply misuse the service bus for their own advantage?

1
c#wcfclient-serverazureservicebusazure-servicebusrelay

1 Answers

0
votes

Do we really need to secure this key?

You store Issuer and Default Key on your server side. To authorize on the Azure service bus, Service Bus WCF endpoint uses the Issuer and Default Key to create a token that will be signed with the Default Key that means that Default Key will never be sent to Azure.

Is there a way we can simply provide authentication in Service Bus which identifies the clients from their pins and and allows only a set of people to access the service bus namespace? OR I'm uselessly getting worried on such points?

As far as I understood you have already implemented some kind of security on the WCF side. There is another one way of doing that. You can use ACS to authentificate Clients. By Default Azure relay Service provides Support for the Simple Web Tokens.

Here is the workflow:

  1. Client send UserName/Password( or UserName/Key) to the ACS.
  2. ACS validates whether the credentials are valid.
  3. ACS send the SWT token back to the Client.
  4. Client packs the SWT token onto the HTTP request(for instance into headers)
  5. Client sends a request to the Web Service with the token in Header.
  6. WCF web Service recieves the token and validates the token with the secured shared key that was provided from ACS Namespace.(note that this key is not sent during the communication it has to be manually copied from the ACS Portal to the web Service config file)
  7. If token is valid then web Service sends data to the Client.