Website authenticated by Session Security Token, need to pass it to WCF service

1
votes

I have a simple .NET 4.5 MVC website. Upon login, a ClaimsPrincipal is created with some test claims:

List<Claim> claims = new List<Claim>();
claims.Add(new Claim("Test", "Test"));
claims.Add(new Claim(ClaimTypes.NameIdentifier, "nameid"));
var id = new ClaimsIdentity(claims, "Forms");
var cp = new ClaimsPrincipal(id);

var token = new SessionSecurityToken(cp);
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);

The web.config to get that working is:

<!-- (have snipped out standard, not interesting web.config) -->
<configSections>
     <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
     <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

<system.webServer>
     <modules runAllManagedModulesForAllRequests="true">
     <remove name="FormsAuthenticationModule" />
     <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

<system.identityModel.services>
     <federationConfiguration>
     <cookieHandler requireSsl="false" persistentSessionLifetime="2"/>

From elsewhere in the web application, I can get at the claims using ClaimsPrincipal.Current.

Sending to WCF Service

I need to send these claims to a friendly WCF service (intranet only). As you can see from above, the token is created in a web application, not on an STS. I want to be able to pass that token to the WCF service and have the service set it as ClaimsPrincipal.

The service looks like:

// IClaimsCheckService
[ServiceContract]
public interface IClaimsCheckService
{
    [OperationContract]
    void CheckClaims();

// ClaimsCheckService.svc
public class ClaimsCheckService : IClaimsCheckService
{
    public void CheckClaims()
    {
        var claimsPrincipal = ClaimsPrincipal.Current;
    }
}

The server web.config is: 

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <behaviors>
       <serviceBehaviors>
          <behavior>
             <serviceAuthorization principalPermissionMode="Always"  />
             <serviceCredentials useIdentityConfiguration="true" />
             <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
             <serviceDebug includeExceptionDetailInFaults="false"/>

The web.config for the client - which is the MVC website described above and this config is the rest of the config from the snippet above.

<system.serviceModel>
    <behaviors>
        <endpointBehaviors>
            <behavior>
                 <clientCredentials useIdentityConfiguration="true">
                      <serviceCertificate>
                          <authentication certificateValidationMode="None"/>
                      </serviceCertificate>
                 </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <basicHttpBinding>
            <binding name="BasicHttpBinding_IClaimsCheckService" />
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:59343/ClaimsCheckService.svc"
            binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IClaimsCheckService"
            contract="CCS.IClaimsCheckService" name="BasicHttpBinding_IClaimsCheckService" />
    </client>
</system.serviceModel>

I've read through Dominick Baier's excellent series on WCF and Identity in .NET 4.5. I've also read through the dense MSDN article on Claims based authorization. Unlike other questions, I am not using an STS but creating the federated token in the website.

What I am expecting

When the service is called, I expect the WCF client to send the Principal in the client thread to the WCF service so that when I perform var claimsPrincipal = ClaimsPrincipal.Current; on the server, I get the same Principal.

What happens

The ClaimsPrincipal.Current is empty (new) and does not contain any information from the client.

I have a feeling that creating my own token won't work because the WCF service has no way of decoding it back into claims. Also, I fear that I cannot use basicHttpBinding with no security.

Thank you in advance!

1
.netwcfwifclaims-based-identity

1 Answers

1
votes

There are a couple of weak points in your story but I'll skip over them. (ex: If you create a security token then you are an STS.) For what you want to do there are several approaches. The most standard but most difficult is to use a ws2007federationhttpbinding binding on your service. This requires a fullblown STS that is supporting the WS-Trust protocol (with a securitytokenservice class etc). This is the approach I would advice if your service needs to be called from the internet and if standards are important (like in a mixed Java/c# environment).

In an intranet approach one can also fall back to passing the security token as part of the datacontract. Your serialize the claimsprincipal on client (using a securitytokenhandler of your choice) and deserialize it in your service (using the same security token handler). Depending on the security requirements you can be more or less strict on security otk the serialized token. If it needs to be secure you can choose to sign it on the client and then verify the signature on the service (using either a symmetric key or a certificate based on your preference).

If you want the claimsprincipal you send to be automatically deserialized and assigned to ClaimsPrincipal.Current then you migth consider creating a small WCF service behavior that sends the principal to the service and unpacks it at the service. The functionality in this behavior will be roughly the same as the second approach. It is a bit more work but it is a reusable solution. If you are going too far in this behavior then solution 1 is a better approach.

As a final remark. If you want to "check claims" then you migth want to use a ClaimsAuthorizationManager instead of a service to do that. In that case you don't need to pass any ClaimsPrincipal over the wire.