Maciej ("Ski") Skierkowski's Blog

Requesting a Token from Azure AppFabric Access Control Service using OAuth 2.0 in C#

2010-12-16T23:54:21Z

Back in September I wrote the article “Requesting a Token from Access Control Service in C#”. In that article I demonstrated the creation of a requesting token, using the Simple Web Token (SWT) token format, and using the OAuth Web Resource Authorization Protocol (WRAP) as the token request protocol. In response ACS will issue a SWT token back which can be used to access web services (commonly REST).

There is one problem though: OAuth WRAP has been deprecated in favor of the OAuth 2.0 specification which the IETF community has been working on over the past year.

The Access Control Service team has been working on supporting the latest revision of OAuth 2.0. As such, it is currently implemented in the Labs CTP version of ACS available at http://portal.appfabriclabs.com/ for testing.

The intent of this article is to provide a simple piece of code to request tokens from ACS using the OAuth 2.0 protocol head instead of OAuth WRAP profile. As such, I will provide a new version of the TokenFactory class I previous posted and I will highlight the differences. For a full understanding of the OAuth 2.0 support in ACS please visit http://acs.codeplex.com/ for documentation and samples.

Also earlier in the year I had written a number of other samples for obtaining tokens from ACS using other languages other than C#, like PHP, Java, and Python. I will not be updating those samples for using OAuth 2.0 instead of WRAP; however, both protocols are relatively simple so it won’t take much effort to figure out how the changes apply for the other languages.

using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.IO;
using System.Net;
using System.Text;
using System.Web.Script.Serialization;

public class TokenFactory
{
    private static string acsHost = "accesscontrol.appfabriclabs.com";
    string serviceNamespace;
    string serviceIdentityName;
    string serviceIdentityPassword;

    public TokenFactory(string serviceNamespace, string serviceIdentityName, string serviceIdentityPassword)
    {
        this.serviceNamespace = serviceNamespace;
        this.serviceIdentityName = serviceIdentityName;
        this.serviceIdentityPassword = serviceIdentityPassword;
    }

    public string GetACSToken(string relyingPartyApplicationName)
    {
        string response;

        // request a token from ACS
        WebClient client = new WebClient();
        client.BaseAddress = string.Format(@"https://{0}.{1}/", serviceNamespace, acsHost);

        NameValueCollection values = new NameValueCollection();
        values.Add("grant_type", "password");
        values.Add("client_id", serviceIdentityName);
        values.Add("username", serviceIdentityName);
        values.Add("client_secret",serviceIdentityPassword);
        values.Add("password", serviceIdentityPassword);

        try
        {
            byte[] responseBytes = client.UploadValues("/v2/OAuth2-10/rp/" + relyingPartyApplicationName, values);
            string responseData = Encoding.UTF8.GetString(responseBytes);

            JavaScriptSerializer serializer = new JavaScriptSerializer();
            Dictionary<string, object> decodedDictionary = serializer.DeserializeObject(responseData) as Dictionary<string, object>;
            response = decodedDictionary["access_token"] as string;
        }
        catch (WebException ex)
        {
            StreamReader reader = new StreamReader(ex.Response.GetResponseStream());
            response = reader.ReadToEnd();
        }
        
        return response;
    }
}

Notice that there are a number of changes from the previous version.

The acsHost address was changed from “accesscontrol.windows.net” to “accesscontrol.appfabriclabs.com”. The OAuth 2.0 support is only on the Labs CTP release and not yet in the production environment, therefore the address change allows us to work against the proper environment.
The WRAP protocol required either a SWT or a Username/Password. The previous version used a SWT token which is why there was code to produce the SWT token itself as the token request then it was submitted using WRAP. There is another profile of WRAP which doesn’t require a token and instead just uses the Username/Password. This example doesn’t require a SWT either, it also only depends on the Username/Password which is why there is no code to produce a SWT.
The latest version of the labs release also includes better error responses, so I added try/catch and the extraction of the error response for my own development-time diagnosis.
The terminology was updated in this sample to match the terminology that is more familiar in the Management Portal.
Lastly, there are the obvious changes due to the differences in the protocols. The values being submitted as well as the address needs to be updated. One thing to note is that before the appliesTo property (i.e. the address) was used to identify the Relying Party, now the name of the RP is used instead.
This code also requires a reference to System.Web and System.Web.Extensions. Previous version only required System.Web, but this version needs the extensions for the JavaScriptSerializer.

Due to these changes Main() also needs to be updated as we no longer need to produce the SWT request and the terminology is updated.

static void Main(string[] args)
{
    string serviceNamespace = "...your service namespace...";
    string serviceIdentityName = "... your service identity name...";
    string serviceIdentityPassword = "...your service identity password...";
    string relyingPartyApplicationName = "... your Relying Party application name...";

    TokenFactory tf = new TokenFactory(serviceNamespace, serviceIdentityName, serviceIdentityPassword);
    string returnToken = tf.GetACSToken(relyingPartyApplicationName);

    Console.WriteLine(returnToken);
    Console.ReadLine();
}

Calling a Service Bus HTTP Endpoint with Authentication using WebClient

2010-09-13T05:57:36Z

This article demonstrates using WebClient in C# to make a client call to a secure Service Bus endpoint exposed using WebHttpRelayBinding. There are two key take-aways from this that mightn’t be covered by existing documentation and samples: (1) learn how place an Access Control STS issued token into the Authorization header, and (2) make a client call to the service without the dependency on the SB client library. The second point is particularly important because non-.NET languages (e.g. PHP, Python, Java) have an analogous to WebClient, therefore understanding this example enables you to easily build clients in other non-.NET languages.

Before getting started you’ll first need to create a WCF service exposed via WebHttpRelayBinding. Below are four files you can copy-paste into your own solution and replace the values for the issuer name, key, and service namespace. The picture below illustrates where you can get the service namespace, default issuer name, and default issuer key to use out-of-the-box with these samples. The page is a screenshot of ServiceNamespace.aspx.

App.config

<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <!-- Application Binding -->
      <webHttpRelayBinding>
        <binding name="default">
          <security relayClientAuthenticationType="RelayAccessToken"></security>
        </binding>
      </webHttpRelayBinding>
    </bindings>

    <services>
      <service behaviorConfiguration="default" name="Microsoft.ServiceBus.Samples.TextService">
        <endpoint address="" behaviorConfiguration="sharedSecretClientCredentials"
          binding="webHttpRelayBinding" bindingConfiguration="default"
          name="RelayEndpoint" contract="Microsoft.ServiceBus.Samples.ITextContract" />
      </service>
    </services>

    <behaviors>
      <endpointBehaviors>
        <behavior name="sharedSecretClientCredentials">
          <transportClientEndpointBehavior credentialType="SharedSecret">
            <clientCredentials>
              <sharedSecret issuerName="owner" issuerSecret="-key-"/>
            </clientCredentials>
          </transportClientEndpointBehavior>
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="default">
          <serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

ImageContract.cs

namespace Microsoft.ServiceBus.Samples
{
    using System;
    using System.Runtime.Serialization;
    using System.ServiceModel;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Web;
    using System.IO;

    [ServiceContract(Name = "TextContract", Namespace = "http://samples.microsoft.com/ServiceModel/Relay/")]
    public interface ITextContract
    {
        [OperationContract, WebGet]
        String GetText();
    }

    public interface IImageChannel : ITextContract, IClientChannel { }
}

ImageService.aspx

namespace Microsoft.ServiceBus.Samples
{
    using System;
    using System.Collections.Generic;
    using System.Drawing;
    using System.Drawing.Imaging;
    using System.IO;
    using Microsoft.ServiceBus.Web;
    using System.ServiceModel;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Web;

    [ServiceBehavior(Name = "TextService", Namespace = "http://samples.microsoft.com/ServiceModel/Relay/")]
    class TextService : ITextContract
    {
        public String GetText()
        {
            WebOperationContext.Current.OutgoingRequest.ContentType = "text/plain";
            return "Hello World";
        }
    }
}

Program.cs

namespace Microsoft.ServiceBus.Samples
{
    using System;
    using System.ServiceModel;
    using System.ServiceModel.Description;
    using Microsoft.ServiceBus;
    using System.ServiceModel.Web;

    class Program
    {
        static void Main(string[] args)
        {
            string serviceNamespace = "-servicenamespace-";
            
            Uri address = ServiceBusEnvironment.CreateServiceUri("https", serviceNamespace, "Text");

            WebServiceHost host = new WebServiceHost(typeof(TextService), address);
            host.Open();

            Console.WriteLine("Copy the following address into a browser to see the image: ");
            Console.WriteLine(address + "GetText");
            Console.WriteLine();
            Console.WriteLine("Press [Enter] to exit");
            Console.ReadLine();

            host.Close();
        }
    }
}

Once you have the above service up-and-running creating a client using WebClient is strait forward.

Program.cs

namespace Client
{
    using System;
    using Microsoft.AccessControl.Client;
    using System.Net;

    class Program
    {
        static void Main(string[] args)
        {
            string serviceNamespace = "-";
            string issuerName = "-";
            string issuerKey = "-";
            
            string baseAddress= string.Format("http://{0}.servicebus.windows.net/",serviceNamespace);
            string serviceAddress = string.Format("https://{0}.servicebus.windows.net/Text/GetText", serviceNamespace);

            TokenFactory tf = new TokenFactory(string.Format("{0}-sb",serviceNamespace), issuerName, issuerKey);
            string requestToken = tf.CreateRequestToken();
            string returnToken = tf.GetACSToken(requestToken, baseAddress);

            WebClient client = new WebClient();
            
            client.Headers[HttpRequestHeader.Authorization] = string.Format("WRAP access_token=\"{0}\"", returnToken);
            
            string returnString = client.DownloadString(new Uri(serviceAddress));
            
            Console.WriteLine(returnString);

            Console.ReadLine();
        }

    }
}

First you’ll notice that I am using TokenFactory, which comes from my “Requesting a Token from Access Control in C#”. The base address is the address of the Relying Party. This address maps to the Scope in your Access Control Service configuration. A token granted to /foo in Service Bus will give you access too /foo/bar and /foo/baz because Service Bus uses longest pre-fix matching on the path. This is why we can get a token for the root of the path and use that token to access a resource (i.e. endpoint) at it’s child address.

Also notice that the service namespace when instantiating TokenFactory is is postfixed with “-sb”. This is because the Access Control service has two independent instances of an STS running, one is at http://servicenamespace.accesscontrol.windows.net and the other at http://servicenamespace-sb.accesscontrol.windows.net/ as you can see, they only differ by “-sb”. The latter is a special STS that is just for the Service Bus. I won’t go into the details of this design decision, but from the applications perspective we only have to make sure to use the right STS for issue tokens to be used by the Service Bus.

Once the requesting token is generated by the TokenFactory it is sent to the Access Control Service STS via GetACSToken() method which returns a SWT token issued by the ACS STS.

The ACS-issued token is then added to the HTTP Authorization Header. Make sure to include “WRAP access_token=\”\”” in the header. This informs the Service Bus endpoint of the structure of the token.

F5 and you are golden.

Requesting a Token from Access Control Service in C#

2010-09-13T05:37:59Z

The AppFabric SDK V1.0 July Update SDK has a number of Access Control Service examples demonstrating the requesting of a token from the Access Control Service; however I find myself needing a small snippet to insert into other samples (e.g. Service Bus) just to craft a request token and get a token to Auth with SB. As such, I’m posting this “TokenFactory” code that I’ve been re-using. This is fundamentally the same functionality I’ve demonstrated in previous posts in PHP, Java, and Python.

namespace Microsoft.AccessControl.Client
{
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Security.Cryptography;
    using System.Text;
    using System.Web;
    using System.Net;
    using System.Collections.Specialized;

    public class TokenFactory
    {
        private static string acsHost = "accesscontrol.windows.net";
        string serviceNamespace;
        string issuerName;
        string signingKey;

        public TokenFactory(string serviceNamespace, string issuerName, string signingKey)
        {
            this.serviceNamespace = serviceNamespace;
            this.issuerName = issuerName;
            this.signingKey = signingKey;
        }

        public string CreateRequestToken()
        {
            return this.CreatRequestToken(new Dictionary<string, string>());
        }

        public string CreatRequestToken(Dictionary<string, string> claims)
        {
            // build the claims string
            StringBuilder builder = new StringBuilder();
            foreach (KeyValuePair<string, string> entry in claims)
            {
                builder.Append(entry.Key);
                builder.Append('=');
                builder.Append(entry.Value);
                builder.Append('&');
            }

            // add the issuer name
            builder.Append("Issuer=");
            builder.Append(this.issuerName);
            builder.Append('&');

            // add the Audience
            builder.Append("Audience=");
            builder.Append(string.Format("https://{0}.{1}/WRAPv0.9/&", this.serviceNamespace, acsHost));

            // add the expires on date
            builder.Append("ExpiresOn=");
            builder.Append(GetExpiresOn(20));

            string signature = this.GenerateSignature(builder.ToString(), this.signingKey);
            builder.Append("&HMACSHA256=");
            builder.Append(signature);

            return builder.ToString();
        }

        private string GenerateSignature(string unsignedToken, string signingKey)
        {
            HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(signingKey));

            byte[] locallyGeneratedSignatureInBytes = hmac.ComputeHash(Encoding.ASCII.GetBytes(unsignedToken));

            string locallyGeneratedSignature = HttpUtility.UrlEncode(Convert.ToBase64String(locallyGeneratedSignatureInBytes));

            return locallyGeneratedSignature;
        }

        private static ulong GetExpiresOn(double minutesFromNow)
        {
            TimeSpan expiresOnTimeSpan = TimeSpan.FromMinutes(minutesFromNow);

            DateTime expiresDate = DateTime.UtcNow + expiresOnTimeSpan;

            TimeSpan ts = expiresDate - new DateTime(1970, 1, 1, 0, 0, 0, 0);

            return Convert.ToUInt64(ts.TotalSeconds);
        }

        public string GetACSToken(string swt, string appliesTo)
        {
            // request a token from ACS
            WebClient client = new WebClient();
            client.BaseAddress = string.Format(@"https://{0}.{1}/", serviceNamespace, acsHost);

            NameValueCollection values = new NameValueCollection();
            values.Add("wrap_assertion_format", "SWT");
            values.Add("wrap_assertion", swt);
            values.Add("wrap_scope", appliesTo);

            string response = null;

            byte[] responseBytes = client.UploadValues("WRAPv0.9/", values);
            response = Encoding.UTF8.GetString(responseBytes);
            return HttpUtility.UrlDecode(response
                .Split('&')
                .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                .Split('=')[1]);
        }
    }
}

Here is a sample that uses the above to get a token from ACS. In this example I am using it specifically for Service Bus (hence “-sb” in the service namespace).

string serviceNamespace = "-";
string issuerName = "-";
string issuerKey = "-";
            
string baseAddress= string.Format("http://{0}.servicebus.windows.net/",serviceNamespace);
string serviceAddress = string.Format("https://{0}.servicebus.windows.net/Text/GetText", serviceNamespace);

TokenFactory tf = new TokenFactory(string.Format("{0}-sb",serviceNamespace), issuerName, issuerKey);
string requestToken = tf.CreateRequestToken();
string returnToken = tf.GetACSToken(requestToken, baseAddress);

Console.WriteLine(requestToken);
Console.WriteLine(returnToken);
Console.ReadLine();

Azure AppFabric Access Control Sample Import/Export Tool (acmsafeguard.exe)

2010-02-12T17:48:00Z

The AcmSafeGuard tool is a command line tool built to be able to perform a full export and import of the Azure AppFabric Access Control entities, as well as a delete-all operation. This tool, with source, is available in the attachment. I built this by evolving the acm.exe tool that is already included in the AppFabric SDK today.

Scenarios

This tool can be used in two primary scenarios, backup and restore of the ACS entities in case you are worried you make unintended changes to the data, and environment migration of ACS entities from one service namespace to another. This second scenario may be helpful in cases you want to setup another service namespace with a duplicate for the purpose of geo-redundancy. This ensures safety in case one of the service namespaces in a given location becomes unavailable; your application logic can resort to using the back-up service.

Warning

This tool is unsupported because there are many limitations in its capabilities to provide any guarantees of satisfying the scenarios defined. Read the following, it’s the big “WARNING!” sign.

During the duration of the export process, the entities might change. Since the export process is non-transactional, interdependencies between entities are not guaranteed. For example, if a Rule references an Issuer which was deleted after the Issuers were exported, then there is a broken relationship. Also, if you want to be able to say at which exact time the snapshot occurred, that too is not possible. Since the process takes a while and changes might occur for that duration, it is hard to set an exact time of the snapshot as it is not accurate with either the begging or end.

If you want to perform a backup/restore process, I suggest that you use the ACS service as a “cache”, and store the “master” data on your system locally and maintain proper backup practices on that master data.

If you want to perform an environment migration I would suggest that you ensure that the entities do not change for the duration of the export, this way you can actually make an accurate replica. This means you’ll have to prevent modifications of the entities from you application logic. Furthermore, a migration should be done off the master copy, not this ACS cache. That is, if you maintain a master copy of the data as suggested, then instead of migrating from one environment to another, you’d just be deploying the master data to a new ACS service namespace.

[DOWNLOAD]

Sample updates per WRAP update from V0.8 to V0.9

2010-02-11T19:56:00Z

I am in the process of updating the ACS Token Request samples per protocol updates in the ACS service from Version 0.8 to 0.9. I will update the samples in the blog, but in case you made your own changes to the samples, here are the updates you need to make...

Change the STS URI from "https://<service>.accesscontrol.windows.net/WRAPv0.8/" to "https://<service>.accesscontrol.windows.net/WRAPv0.9/"
Change "wrap_SWT" claim type to "wrap_assertion"
Add "wrap_assertion_format" claim type with claim value "SWT"
Change "applies_to" claim type to "wrap_scope"

Requesting a Token from Access Control Service in Python

2009-11-10T00:11:00Z

[UPDATE 2/11: Updated to use new STS V0.9 instead of V0.8]

In the previous posts I demonstrated requesting tokens from the Access Control Service using both Simple Web Token and Shared Secret requests in Java and in PHP. In this little example I am only showing the Shared Secret request in Python.

import sys, httplib, urllib

def MakeSTSRequest(claimSet,stsUrl):
    headers = {"Content-type":"application/x-www-form-urlencoded"}

    conn = httplib.HTTPSConnection(stsUri)
    conn.request("POST","/WRAPv0.9/",claimSet,headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()
    return data

def GetTokenBySharedSecret(stsUrl,claimSet,issuerName,issuerKey,rpURL):
    claimSet = urllib.urlencode({"wrap_scope":rpUri,
                           "wrap_name":issuerName,
                           "wrap_password":issuerKey})
    responseString=MakeSTSRequest(claimSet,stsUrl)
    return ExtractTokenFromResponse(responseString)

def ExtractTokenFromResponse(stringResponse):
    claims=stringResponse.split("&")
    for claim in claims:
        keyValue=claim.split("=")
        if(keyValue[0]=="wrap_token"):
            return keyValue[1]
    return stringResponse

stsUri="[service namespace].accesscontrol.windows.net"
rpUri="[scope applies_to]"
issuerName="[issuer name]"
issuerKey="[issuer key]"

claimSet={"sample_claim_type":"sample_claim_value"}
print GetTokenBySharedSecret(stsUri,claimSet,issuerName,issuerKey,rpUri)

Requesting a Token from Access Control Service in Java

2009-11-06T05:38:00Z

[UPDATE 2/11: Updated to use new STS V0.9 instead of V0.8]

Following demonstrates requesting a token from the .NET Services Access Control Services using a Shared Secret and another using a Simple Web Token.

You'll also need these three libraries to help in the encoding process and the HTTP calls. There are some hacky pieces of code here, but that's mostly due to my ignorance in Java. Feedback to make this better quality code is welcome.

http://commons.apache.org/codec/

http://commons.apache.org/lang/

http://hc.apache.org/

import java.io.IOException;

import java.io.UnsupportedEncodingException;

import java.security.InvalidKeyException;

import java.security.NoSuchAlgorithmException;

import java.util.ArrayList;

import java.util.Iterator;

import java.util.List;

import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;

import org.apache.commons.lang.StringUtils;

import org.apache.http.HttpEntity;

import org.apache.http.HttpResponse;

import org.apache.http.NameValuePair;

import org.apache.http.client.ClientProtocolException;

import org.apache.http.client.HttpClient;

import org.apache.http.client.entity.UrlEncodedFormEntity;

import org.apache.http.client.methods.HttpPost;

import org.apache.http.impl.client.DefaultHttpClient;

import org.apache.http.message.BasicNameValuePair;

import org.apache.http.util.EntityUtils;

public class RequestACSToken {

private static final String HMAC_SHA256 = "HmacSHA256";

public static void main(String[] args) throws ClientProtocolException, NoSuchAlgorithmException, IllegalStateException, IOException, Exception

{

String stsUrl="https://[service namespace].accesscontrol.windows.net/WRAPv0.9/";

String rpUrl="[scope applies_to]";

String issuerKey="[issuer key]";

String issuerName="[issuer name]";

List<NameValuePair> claimSetSharedSecret = new ArrayList<NameValuePair>();

claimSetSharedSecret.add(new BasicNameValuePair("sample_in_claim_type","sample_in_claim_value"));

String tokenSharedSecret=GetTokenBySharedSecret(stsUrl,claimSetSharedSecret,issuerName,issuerKey,rpUrl);

System.out.println("Shared Secret: " + tokenSharedSecret);

List<NameValuePair> claimSetSimpleWebToken = new ArrayList<NameValuePair>();

claimSetSimpleWebToken.add(new BasicNameValuePair("sample_in_claim_type","sample_in_claim_value"));

String tokenSimpleWebToken=GetTokenBySimpleWebToken(stsUrl,claimSetSimpleWebToken,issuerName,issuerKey,rpUrl);

System.out.println("Simple Web Token: " + tokenSimpleWebToken);

}

public static String ExtractTokenFromResponse(String stringResponse)

{

String[] returnClaimSet=stringResponse.split("&");

for(int i=0; i<returnClaimSet.length; i++)

{

String[] claimItem=returnClaimSet[i].split("=");

if(claimItem[0].equals("wrap_token"))

{

return claimItem[1];

}

}

// this is an error case, but the body does contain the error details so useful to display

return stringResponse;

}

public static String MakeSTSRequest(List<NameValuePair> claimSet, String stsUrl) throws ClientProtocolException, IOException

{

// encode the claim set

UrlEncodedFormEntity entity = new UrlEncodedFormEntity(claimSet, "UTF-8");

// make the request to the STS

HttpPost httpPost = new HttpPost(stsUrl);

httpPost.setEntity(entity);

HttpClient client = new DefaultHttpClient();

HttpResponse response = client.execute(httpPost);

// capture the response into a string

HttpEntity responseEntity = response.getEntity();

String stringResponse = entity!=null ? EntityUtils.toString(responseEntity) : "";

return stringResponse;

}

public static String GetTokenBySharedSecret(String stsUrl, List<NameValuePair> claimSet, String issuerName, String issuerKey, String rpUrl) throws ClientProtocolException, IOException

{

claimSet.add(new BasicNameValuePair("wrap_name",issuerName));

claimSet.add(new BasicNameValuePair("wrap_password",issuerKey));

claimSet.add(new BasicNameValuePair("wrap_scope",rpUrl));

String stringResponse=MakeSTSRequest(claimSet,stsUrl);

// extract the value for wrap_token and return

return ExtractTokenFromResponse(stringResponse);

}

public static String GetTokenBySimpleWebToken(String stsUrl, List<NameValuePair> claimSet, String issuerName, String issuerKey, String rpUrl) throws ClientProtocolException, IOException, Exception, NoSuchAlgorithmException, IllegalStateException

{

claimSet.add(new BasicNameValuePair("Issuer",issuerName));

claimSet.add(new BasicNameValuePair("Audience",stsUrl));

claimSet.add(new BasicNameValuePair("HMACSHA256",CreateSignature(EncodeQueryString(claimSet),issuerKey)));

List<NameValuePair> newClaimSet = new ArrayList<NameValuePair>();

String wrapToken=EncodeQueryString(claimSet);

newClaimSet.add(new BasicNameValuePair("wrap_assertion",wrapToken));

newClaimSet.add(new BasicNameValuePair("wrap_assertion_format","SWT"));

newClaimSet.add(new BasicNameValuePair("wrap_scope",rpUrl));

String stringResponse=MakeSTSRequest(newClaimSet,stsUrl);

// extract the value for wrap_token and return

return ExtractTokenFromResponse(stringResponse);

}

public static String CreateSignature(String hmacFreeClaimSet, String key) throws NoSuchAlgorithmException, InvalidKeyException, IllegalStateException, UnsupportedEncodingException

{

SecretKeySpec signingKey = new SecretKeySpec(Base64.decodeBase64(key), HMAC_SHA256);

Mac mac = Mac.getInstance(HMAC_SHA256);
mac.init(signingKey);

byte[] rawHmac = mac.doFinal(hmacFreeClaimSet.getBytes("ASCII"));
return Base64.encodeBase64String(rawHmac);

}

public static String EncodeQueryString(List<NameValuePair> claimSet) throws UnsupportedEncodingException
{

List<String> claims = new ArrayList<String>();
for(Iterator<NameValuePair> i = claimSet.iterator(); i.hasNext();)

{

NameValuePair item = (NameValuePair)i.next();
claims.add(item.getName() + "=" + URLEncoder.encode(item.getValue().trim(),"UTF-8"));

}

return StringUtils.join(claims,"&");

}

Requesting a Token from Access Control Service in PHP

2009-11-06T05:05:00Z

[UPDATE 2/11: Updated to use new STS V0.9 instead of V0.8]

Following demonstrates requesting a token from the .NET Services Access Control Services using a Shared Secret and another using a Simple Web Token.

<?php

$stsUrl="https://[service namespace].accesscontrol.windows.net/WRAPv0.9/";

$rpUrl="[scope applies_to]";

$issuerKey="[issuer key]";

$issuerName="[issuer name]";

$claims = array("sample_in_claim_type"=>"sample_in_claim_value");

echo("Shared Secret: " . GetTokenBySharedSecret($stsUrl,$claims,$issuerName,$issuerKey,$rpUrl) . " ");

echo("Simple Web Token: " . GetTokenBySimpleWebToken($stsUrl,$claims,$issuerName,$issuerKey,$rpUrl) . " ");

function GetTokenBySharedSecret($stsUrl, $claimSet, $issuerName, $issuerKey, $rpUrl)

{

$claimSet["wrap_name"]=$issuerName;

$claimSet["wrap_password"]=$issuerKey;

$claimSet["wrap_scope"]=$rpUrl;

$stringResponse = MakeSTSRequest($claimSet,$stsUrl);

return ExtractTokenFromResponse($stringResponse);

}

function GetTokenBySimpleWebToken($stsUrl, $claimSet, $issuerName, $issuerKey, $rpUrl)

{

$claimSet["Issuer"]=$issuerName;

$claimSet["Audience"]=$stsUrl;

$claimSet["HMACSHA256"]=CreateSignature($claimSet,$issuerKey);

$requestSet=array();

$requestSet["wrap_assertion"]=http_build_query($claimSet);

$requestSet["wrap_assertion_format"]="SWT";

$requestSet["wrap_scope"]=$rpUrl;

$stringResponse = MakeSTSRequest($requestSet,$stsUrl);

return ExtractTokenFromResponse($stringResponse);

}

function MakeSTSRequest($claimSet, $stsUrl)

{

// encode the claimset

$tokenRequestBody=http_build_query($claimSet);

// make the request to the STS

$options = array(

"http"=>array(

"method"=>"POST",

"header"=>"Content-Type: application/x-www-form-urlencoded",

"content"=>$tokenRequestBody));

$context=stream_context_create($options);

$fp = fopen($stsUrl,'r',false,$context);

// capture the response into a string

return stream_get_contents($fp);

}

function ExtractTokenFromResponse($stringResponse)

{

parse_str($stringResponse,$Values);

return $Values["wrap_token"];

}

function CreateSignature($claimSet, $key)

{

$hmacFreeClaimSet=http_build_query($claimSet);

$key64Encoded=base64_decode($key);

return base64_encode(hash_hmac("sha256",$hmacFreeClaimSet,$key64Encoded,true));

}

Requesting Tokens from Access Control Service

2009-11-06T05:00:00Z

When designing the Access Control Service we wanted to make it easy to request a token from the STS. We also wanted to make it possible to work with other languages, not just the .NET Framework. As such, I decided to validate the simplicity of the design by picking a few popular programming languages and implementing a token request from the Access Control Service STS. The following few posts will demonstrate requesting a Simple Web Token (SWT) using both Shared Secret and Simple Web Tokens to for the request.

If you are unfamiliar with the Access Control Service, please check out the MSDN documentation “Overview of the Access Control Service.” (http://msdn.microsoft.com/en-us/library/dd582780.aspx)

United States map in XAML

2007-04-22T06:54:00Z

I worked on a little toy project on the side for which I needed a XAML map of the United States; however, I could not find such a thing myself. After looking through a few options I ruled out making a SVG to XAML converter, as I suck too much with XSLT. So instead, I traced a map of the united states from an image state by state. End result is attached for your consumption.

I will continue working with this XAML by making it interactive with some JavaScript thanks to WPF/E (Silverlight).