in WSTrustChannelFactory documentation there is a reference to working with proxy:
One common pattern where the OnBehalfOf feature is used is the proxy
pattern where the client cannot access the STS directly but instead
communicates through a proxy gateway
I can't seem to find an example.
In some of my users' computers a proxy is defined for exteral request.
How can I request the token if the STS is behind proxy.
Currently I am getting it as follows:
var rst = new RequestSecurityToken{...}
IWSTrustChannelContract wsTrustChannelContract = factory.CreateChannel();
var token = wsTrustChannelContract.Issue(rst) as GenericXmlSecurityToken;
How can I change it to using the proxy?
Thanks.
OnBehalfOf is for situations where you build the proxy yourself - like the ADFS proxy.
I haven't seen any sample for that either - but it follows the same pattern as ActAs.
It has nothing to do with "regular" web proxies that might be between you and your STS.
But have a look here:
How can I set an HTTP Proxy (WebProxy) on a WCF client-side Service proxy?
Related
I'm implementing an asp .net core web API for my company. The authentication should be processed via the built-in jwt bearer authentication.
The problem I'm struggling with is, that I'm working behind a proxy. So for the token validation, I'm facing 407 proxy authentication failed responses.
As far as I know, in .net framework, there was the possibility to define a default proxy in the web.config but for .net core, I couldn't find any similar functionality.
Is it possible to "inject" proxy settings for the jwt authentication or if not, is there any other way to work with this authentication behind a proxy?
The option to define a global proxy in the Web.config is gone for ASP.NET Core.
Most APIs that do anything over HTTP allow you to set a HttpMessageHandler, though. You can set the proxy for that MessageHandler.
For instance, assuming you're using default JwtBearer Authentication you could try this approach:
appsettings.json:
"Proxy": {
"ProxyAddress": "http://MyProxy:8080"
},
In your ConfigureServices method you can then:
services.AddAuthentication()
.AddJwtBearer("Bearer", o =>
{
o.BackchannelHttpHandler = new HttpClientHandler
{
Proxy = new WebProxy(Configuration["Proxy:ProxyAddress"])
};
});
Depending on what flow you use you may need to set the Proxy on other/additional handlers as well.
Additionally, if you require finer grained control over the Proxy, you can always write a class implementing IWebProxy and use that instead of newing a WebProxy with a proxy address.
I'm looking for the way to provide credentials (grammatically) for HTTP proxy that should be used to connect to service (Security Token Service), the proxy credentials differ from the credentials for the service.
I saw several posts here (it took me back to 2006-8) and the solution was by changing the default proxy
WebProxy proxy = new WebProxy("http://myproxyserver",true);
proxy.Credentials = new NetworkCredential("username", "password");
WebRequest.DefaultWebProxy = proxy;
I think it is risky to change the global setting for all WebRequests from my assembly that performs a dedicated task.
I'm wondering if in .NET 4.5 there is a better solution for this case.
Similar questions:
WCF Custom Http Proxy Authentication
How can I set an HTTP Proxy (WebProxy) on a WCF client-side Service proxy?
Don't set default proxy, set proxy object with desired credentials per request
I have a WCF service which is running fine.
It is used within an intranet network.
It is a self-hosted service
(no IIS) managed by a simple Windows Form program.
It is used by a
WCF client (WPF C#).
I now need to add security to it and after having read a lot of posts on the internet I'm getting confused as there are many ways of doing.
I need a custom username and password validator (I will have to call another web service to know if user is authorized or not).
I also need secure communication between client and server.
I am currently using basicHttpBinding.
MS recommends the use of NetTcpBinding in my case (https://msdn.microsoft.com/en-us/library/ff648863.aspx#TransportSecurityWCF), but I am not sure if this is or can be secured ?
I think I better use WsHttpBinding to have SSL: do you think that this link provides proper solution to my case ? https://msdn.microsoft.com/en-us/library/ms733775.aspx ?
Thanks for your advices
You can do SSL/Transport encryption with BasicHTTPBinding. That doesn't need to change; you just need to set up the host side with "Transport" security, add some code and a certificate, and you should be able to proceed without changing too much code. I can include a small code sample below, since I did the same thing you're trying to do via a self-hosted service.
BasicHttpBinding b = default(BasicHttpBinding);
if (bUseSSL) {
//check for ssl msg credential bypass
if (bSSLMsgCredentialBypass) {
b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
} else {
b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
}
b.TransferMode = TransferMode.Buffered;
b.MaxReceivedMessageSize = int.MaxValue;
b.MessageEncoding = WSMessageEncoding.Text;
b.TextEncoding = System.Text.Encoding.UTF8;
b.BypassProxyOnLocal = false;
//b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
}
The authentication/authorization can be done, too, without changing what you currently have. You really have two choices:
One is that you create a Login function that get's called when the client first visits the host. You then send some token value back to the client for all subsequent communications.
The other way involves creating that custom authentication check, using the message inspector functionality found in Dispatcher.IDispatchMessageInspector and a public function called AfterReceiveRequest. Within that function, you can examine the UserID and Pwd (from within the HTTP header data) sent from the clients- but you need to implement this on both the client and host sides, otherwise it doesn't work.
I am hosting a soap webservice via an instance iHost of ServiceHost; authentication is configured as
HttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic;
iHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode
= UserNamePasswordValidationMode.Custom;
iHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator
= new CustomValidator();
The hosting itself works as desired, however I also would like to access the client credentials from within the hosted service itself. Can this be achieved with the current authentication settings or is it impossible?
Found the answer with the help of a coworker. Username can be accessed via OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name; the question can be seen as a duplicate of this question.
I have been given a wdsl for an external system (not .Net-based), and I have used svcutil to create a client/proxy for it. The external unit requires digest authentication for me to talk to it, and supports both http and https.
A couple of questions:
There are no certificates involved. Will using https cause problems in that case?
I know I can specify transport level digest authentication like this:
var binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Digest;
However, how do I go about creating the credentials and using them with my binding/proxy?
I can easily find a lot of information online on creating WCF services, but implementation of clients towards non-.Net based services... not so much.
Thanks for any insight!