In the blog posts 1 & 2, we went over how a Workflow application can pass credentials to the LOB activities. While the mechanisms suggested work when the credentials originate from the application in question, a different approach is required when the credentials originate somewhere else. Consider a WCF service that’s implemented as a Workflow and uses the LOB activities to interact with the backend LOBs. The client of this service passes the credentials to the service which then needs to relay them to the LOB activities. In this post, we will go over one approach to handle this scenario. We will limit the scenario to the credentials being flown as Username/Password.
The approach makes use of the extensibility provided by WCF to hook in a custom SecurityTokenAuthenticator. The authenticator will extract the username/password and stuff it into the OperationContext. It does so by adding a claim-set in an authorization policy. Subsequently a custom ClientCredentials endpoint behavior will be used to extract it from the OperationContext and populate the UserName that will then be used by the underlying WCF LOB adapter to authenticate with the LOB.
Here’s a more detailed explanation of the approach. Please note that the main intention of the attached code is to illustrate the approach and the emphasis is not on making the code efficient/robust.
Extracting the username/password and associating it with the OperationContext
Extracting the username/password from the OperationContext and populating ClientCredentials.UserName