ASP.NET Web App To REST WCF Service Delegation Using Shared SWT Token

Back to [[Windows Azure Active Directory Solutions For Developers]] 

Scenario

In this scenario you are developing distributed application that includes front end ASP.NET web app and the backend REST WCF service. You are interested to use public identity providers, such as Live ID, Google, Facebook, Yahoo!, and OpenID 2.0, to authenticate users. You are also interested to flow the original identity of the end users down to the backend REST WCF service for authentication and authorization purposes at the backend.

• Distributed application. ASP.NET web app front end and REST WCF service backend
• identities are managed by public identity providers, such as Live ID, Google, Facebook, Yahoo!, OpenID 2.0.
• Identity needs to flow through the tiers down to the backend REST WCF service.

Solution Approach

Windows Identity Foundation (WIF) and Windows Azure Access Control Service (ACS) is used to solve this scenario.  The approach is to have one relying party configured in ACS that issues SWT token. This SWT token is used with both front end ASP.NET web app and downstream REST WCF service. The signing keys shared with all three - ACS, ASP.NET RP, REST WCF RP. Another challenge is that WIF does not come with built-in SWT token handler. WIF offers extensibility features that allows to built custom token handlers, in this case Custom SWT Token Handler is used and plugged into the WIF pipeline. The SWT token issued by ACS needs to be reused when calling to REST WCF service from ASP.NET web app. To allow so, the ASP.NET web app configured to save the bootstrap token that includes the raw representation of the original SWT token issued by ACS. The raw token is then attached to the HTTP request when calling to the downstream REST WCF service. This is how original identity is flown from the end user through the tiers, ASP.NET web app to the REST WCF service.

• Use custom token handler as part of the WIF pipeline to parse and validate incoming SWT tokens issued by ACS..
• Configure one shared relying party in ACS to issue SWT tokens signed by shared signed key.
• Configure ASP.NET web app to save bootstrap token that has original raw token in it.
• The bootstrap token is available in the ASP.NET web app context as part of the HttpContext's identity.
• Attach original raw SWT token to each request to REST WCF service
• Validate the SWT token at the REST WCF service using shared signing key. Use either same custom SWT Token Handler as with ASP.NET web app or parse it manually. This sample shows how to parse it manually.

Analysis

Current implementation assumes code that needs to be written for the custom SWT Token Handler to be used with WIF proccessing pipeline. The sample uses sample code for such custom SWT Token Handler adopted from one of the ACS SDK Samples. SWT token handling in REST WCF service is manual parsing without use of WIF pipeline, consider using SWT Custom Token handler in REST WCF service similar to how it's used in ASP.NET web app.

How To's

• How To: Configure Google as an Identity Provider
• How To: Configure Facebook as an Identity Provider
• How To: Configure Yahoo! as an Identity Provider

Code Samples

• ASP.NET Web App To REST WCF Service Delegation Using Shared SWT Token

Resources

• Visio Diagram for this scenario: ASP.NET to WCF (REST) Delegation With Live ID, Google, Facebook Using SWT.vsd
• Code Sample: Windows Phone 7 Application
• REST WCF: Authentication With SWT Token Issued By Windows Azure Access Control Service (ACS)
• ASP.NET: Authentication With SWT Token Using Windows Azure ACS and WIF Custom Token Handler
• ASP.NET Portal