您的位置: 首页  >  技术问答  >  调用WCF服务发出的令牌

调用WCF服务发出的令牌

分类: 技术问答 2022-07-17 00:00:18
问题描述:

我尝试以下操作:调用WCF服务发出的令牌

  • 一个WCF客户端调用STS,并得到SAML断言
  • 客户端调用使用SAML断言现在

服务我已将上述场景实施为三个LinqPad脚本:client.linq,sts.linq(自托管的WCF服务)和service.linq(自托管的WCF服务)。他们都可以在https://github.com/codeape2/WCF_STS

我需要一些帮助得到这个工作。

使用client.linq下面的代码,我可以打电话给我的STS,并得到一个SAML断言:

SecurityToken GetToken() 
{ 
    var binding = new BasicHttpBinding(); 
    var factory = new WSTrustChannelFactory(binding, stsAddress); 
    factory.TrustVersion = TrustVersion.WSTrustFeb2005; 

    var rst = new RequestSecurityToken 
    { 
     RequestType = RequestTypes.Issue, 
     KeyType = KeyTypes.Symmetric, 
     AppliesTo = new EndpointReference(serviceAddress) 
    }; 
    return factory.CreateChannel().Issue(rst); 
}

下一步,我用下面的代码(尝试)打电话给我服务与SAML断言包括:

var binding = new WSFederationHttpBinding(WSFederationHttpSecurityMode.Message); 
binding.Security.Message.EstablishSecurityContext = false; 
var factory = new ChannelFactory<ICrossGatewayQueryITI38>(
    binding, 
    new EndpointAddress(new Uri(serviceAddress), new DnsEndpointIdentity("LocalSTS")) 
); 

factory.Credentials.SupportInteractive = false; 
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = 
    X509CertificateValidationMode.None; 

var proxy = factory.CreateChannelWithIssuedToken(token); 
var response = proxy.CrossGatewayQuery(
    Message.CreateMessage(MessageVersion.Soap12WSAddressing10, "urn:ihe:iti:2007:CrossGatewayQuery", "Hello world") 
);

接下来会发生什么我完全不明白。我有提琴手运行,当我运行该脚本,这里是我所看到的:

  1. 第一次请求/STS(预期)

  2. proxy.CrossGatewayQuery结果三次调用/Service

    2.1。带有动作的SOAP调用http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

    2.2。带有动作的SOAP调用http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

    2.3。最后的SOAP调用动作为urn:ihe:iti:2007:CrossGatewayQuery。使用Fiddler,我注意到SOAP安全头包含第一步中的SAML断言。

最终调用导致从服务返回SOAP错误:消息中至少有一个安全令牌无法验证。保存的提琴手请求/响应日志是在这里:https://drive.google.com/file/d/0B-UZlLvBjjB2S050TXRhVEo2Vmc/view?usp=sharing

如果有谁能够告诉我关于下面,我将非常感激:

  • 为什么WCF客户端发送RST/IssueRSTS/Issue请求到/Service (上述步骤2.1和2.2)?
  • 如何配置这些组件以完成我想要的操作,即向STS发送一个请求,然后向服务发送一个请求,传递从STS获得的SAML断言。

第一个问题是重新协商服务凭证。

这种变化照顾的是:

binding.Security.Message.NegotiateServiceCredential = false

然后,服务不得不启用WIF配置:太

host.Credentials.UseIdentityConfiguration = true; 
host.Credentials.IdentityConfiguration = CreateIdentityConfig(); 

IdentityConfiguration CreateIdentityConfig() 
{ 
    IdentityConfiguration identityConfig = new IdentityConfiguration(false); 

    //AUDIENCE URI     
    //the token we receive contains this value, so if do not match we fail 
    identityConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri($"http://{Environment.MachineName}:8000/Service")); 

    //ISSUER NAME REGISTRY explicit the thumbprint of the accepted certificates, if the token coming in is not signed with any of these certificates then is considered invalid 
    var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry(); 
    issuerNameRegistry.AddTrustedIssuer("81 5b 06 b2 7f 5b 26 30 47 3b 8a b9 56 bb 9f 9f 8c 36 20 76", "signing certificate sts"); //STS signing certificate thumbprint 
    identityConfig.IssuerNameRegistry = issuerNameRegistry; 
    identityConfig.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; 
    return identityConfig; 
}

还有其他的变化,GitHub库已更新的代码,在工作master分支。

感谢MS支持谁走过我通过弄清楚这一点。

相关推荐