13

I've got a simple client-server application based on TcpClient/TcpListener and SslStream. Clients can authenticate themselves to the server using a X509Certificate or by sending a user name and password after the SslStream has been established.

WCF makes use of the System.IdentityModel namespace for authentication purposes, but apparently that can be used in arbitrary applications--which sounds interesting. Information on how to do this is sparse though (or my Google foo is weak today).

So, my question is: What do I need to do to integrate System.IdentityModel with my application? I'm not sure if I need all that ClaimSet stuff, but it would be nice if users could log in just using their Windows account or any other provided authentication mechanism. (Unfortunately I can't just switch to WCF but have to use the custom protocol, although I can make some changes to it if necessary.)

dtb
  • 213,145
  • 36
  • 401
  • 431

2 Answers2

17

My Google foo was indeed weak. The answer is right behind the link in my question. So here are a couple of links to this blog in case somebody has the same question eventually.

First, you should try to understand "that claim set stuff":

Then, you need to know where claim sets come from:

Armed with this knowledge, it actually becomes quite simple.

If I understand it correctly, the basic workflow would be something like this:

  1. Client creates a SecurityToken using a SecurityTokenProvider
  2. Client serializes the SecurityToken using a SecurityTokenSerializer
  3. Server deserializes the SecurityToken using a SecurityTokenSerializer
  4. Server creates IAuthorizationPolicys using a SecurityTokenAuthenticator
  5. Server creates AuthorizationContext from IAuthorizationPolicys
  6. Done

Example:

// Create the SecurityTokenProvider
var p = new UserNameSecurityTokenProvider("username", "password");

// Get the SecurityToken from the SecurityTokenProvider
var t = p.GetToken(TimeSpan.FromSeconds(1.0)) as UserNameSecurityToken;

// ... transmit SecurityToken to server ...

// Create the SecurityTokenAuthenticator
var a = new CustomUserNameSecurityTokenAuthenticator(
    UserNamePasswordValidator.None);

// Create IAuthorizationPolicies from SecurityToken
var i = a.ValidateToken(t);

// Create AuthorizationContext from IAuthorizationPolicies
var c = AuthorizationContext.CreateDefaultAuthorizationContext(i);
ShowClaims(c.ClaimSets);

For X509SecurityTokens use a X509SecurityTokenProvider/Authenticator. For WindowsSecurityTokens there's a WindowsSecurityTokenAuthenticator but not a provider; instead, use the WindowsSecurityToken constructor:

var t = new WindowsSecurityToken(WindowsIdentity.GetCurrent());

This works quite well. The only thing I omitted so far above is the token serialization. There is a SecurityTokenSerializer class which has one implementation in the .NET framework: the WSSecurityTokenSerializer class which comes with WCF.

Serializing UserNameSecurityTokens and X509SecurityTokens works like a charm (haven't tried deserialization), but WindowsSecurityTokens are apparently not supported by the serializer. This leaves me with the two authentication methods that I already have (certificates and username/password) and, as I didn't want that AuthorizationContext anyway, I'll stick with what I have :)

Steve Duitsman
  • 2,749
  • 5
  • 27
  • 39
dtb
  • 213,145
  • 36
  • 401
  • 431
  • 1
    In case anybody is interested, I'm not sure the SecurityToken should be created on the client side and transmitted to a server. For X.509 security it makes much more sense to initiate a SslStream with the server and create the X509SecurityToken from the server certificate, for Windows security the WindowsSecurityToken can be created from the negotiateStream.RemoteIdentity if a NegotiateStream is used. For username/password security, of course, the username and password will need to be transmitted. – dtb May 29 '09 at 21:52
7

I don't have the reputation to post a comment to the existing solution, but I'd like to post the new URLs to the blogs listed in the solution, since those don't work anymore. If someone can change this to a comment, I'd be much obliged.

user849924
  • 318
  • 3
  • 9