问题
I have read this article: Identity Delegation with AD FS 2.0 Step-by-Step Guide
on how to perform identity delegation using WIF from an ASP.NET application to a back end WCF service. I currently have an ASP.NET WebAPI REST service that I want to be able to call from my ASP.NET application using identity delegation, but I cannot find any information on how to accomplish this. The mentioned technet article uses CreateChannelActingAs
to create a channel to the WCF service using the calling user's security token, but obviously this method is not applicable to a REST API. Can anyone point me to any articles or provide a description of how I can delegate identity using WIF to my REST service?
My WebAPI REST service application is already set up and working using WIF authentication with the help of this library from Thinktecture.
回答1:
I found the solution (I am using Thinktecture Identity Server). I had to set up a delegation account that my web application uses (webappaccount
) to delegate to the realm my service is in by going to Identity Delegation->Add Realm in identity server, and in my web application I had to make a service call to my STS providing the bootstrap token to receive a new security token which I can then use to authenticate to my service.
In the web app config I set:
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
and in my web app the code to access my service looks like:
BootstrapContext context = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), _trustUrl);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "webappaccount";
factory.Credentials.UserName.Password = "P@ssword";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(_realm),
ActAs = new SecurityTokenElement(context.SecurityToken)
};
var token = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
var client = new HttpClient
{
BaseAddress = _baseAddress
};
client.SetToken("SAML", token.TokenXml.OuterXml);
var response = client.GetAsync("api/values").Result;
My REST service did not require any changes.
来源:https://stackoverflow.com/questions/24459532/wif-identity-delegation-to-webapi-rest-service