需要通过Web服务调用将额外参数传递给STS身份验证 [英] Need to pass extra parameters into STS authentication via web-service call
问题描述
我有一个自定义STS,我已经覆盖了ValidateToken,以便提供我自己的身份验证逻辑。 但在我的场景中,需要从呼叫客户端发送额外的参数(不是网站登录页面,而是客户端应用程序通过
Web服务调用)。 WS-Trust应该是处理这些的地方,因为它似乎是额外的参数选项,但是我找不到如何从ValidateToken方法中访问它们。 它从我应该创建一个WSFederationMessage
对象和SignInRequestMessage&NBSP的文档看起来,以通过.GetParameter以获得额外的数据()方法,但是构造希望在什么样子的方式向Request.URI从QueryString获取数据,这在我的网络服务
调用STS的情况下是不对的。 我可能在这里迷失了方向,但我试图获得额外的登录参数,通过隐式STS绑定(从客户端WPF应用程序)传递到STS,然后从自定义覆盖ValidateToken方法访问这些参数
调用,我认为WS-trust额外参数是他们的正确位置。 下面是我的问题行注释的示例代码:
的公共类CustomUsernameSecurityTokenHandler:UserNameSecurityTokenHandler
    {
       公共覆盖ClaimsIdentityCollection ValidateToken(SecurityToken令牌)
{
            UserNameSecurityToken的UsernameToken =令牌作为UserNameSecurityToken;
 &NBSP ;         如果(的UsernameToken!= NULL)
             {
         &NBSP ; //我们必须从WSTrust Sign中提取额外的登录参数InRequestMessage(WIF)参数集合:
; // TODO:此调用需要不同的构造函数...
                WSFederationMessage fedMessage = WSFederationMessage.CreateFromUri(Request.Url); //替换此
         若(fedMessage.Action == WSFederationConstants.Actions.SignIn)
 &NBSP ;              {
                     SignInRequestMessage请求= fedMessage作为SignInRequestMessage;
             &NBSP ; if(request!= null)
            {
     &NBSP ;         &NBS磷;       字符串  extraParam1 =的request.getParameter(QUOT; myExtraParam1");
                        字符串  extraParam2 =的request.getParameter( " myExtraParam2");
                         //认证令牌这里使用自定义逻辑NBSP;以及返回ClaimsIdentityCollection ...
&NBSP ;                  }
               }
}
&n bsp; }
}
您在这里混淆了2个概念:
- 使用STS进行身份验证
- 令牌请求
身份验证在令牌处理程序中完成(就像您编写的那样)。令牌请求在SecurityTokenService派生中处理STS看到令牌处理程序和RST的结果,令牌处理程序看到用于验证的传入原始安全令牌
。这是两个不同的东西。
如果如果要向身份验证过程添加其他信息,您需要一个支持该信息的令牌类型,或者帮助您自己向SOAP消息添加一些自定义标头(以下是自定义令牌类型的示例: http:// www。 leastprivilege.com/UsingSAMLAsAClientCredentialTypeInWCFUpdatedToWIFRTM.aspx)。
I have a custom STS and I have overridden ValidateToken in order to provide my own authentication logic. But in my scenario there are extra parameters that need to be sent from the calling client (not a website login page, but a client app via web service call). WS-Trust should be the place to handle these since it seems the extra arguments option is for that, but I cannot find how to access them from inside the ValidateToken method. It seems from the docs that I should create a WSFederationMessage object and the SignInRequestMessage in order to get the extra data via the .GetParameter() method, however the constructor wants the Request.URI in what looks like a way to get data from the QueryString, which can't be right in my case of a web service call to the STS. I might have lost my way here, but I am trying to get extra log-in parameters to be passed up via implicit STS bindings (from a client WPF app) to the STS and then access those parameters from a custom overriden ValidateToken method call, and I assume that the WS-trust extra parameters is the right place for them. Below is my sample code with the problem line in comments:
public class CustomUsernameSecurityTokenHandler: UserNameSecurityTokenHandler
{
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
UserNameSecurityToken userNameToken = token as UserNameSecurityToken;
if (userNameToken != null)
{
//We must pull the extra sign-in parameters from the WSTrust SignInRequestMessage (WIF) Parameters collection:
//TODO: this call needs a different constructor...
WSFederationMessage fedMessage = WSFederationMessage.CreateFromUri(Request.Url); //replace this
if (fedMessage.Action == WSFederationConstants.Actions.SignIn)
{
SignInRequestMessage request = fedMessage as SignInRequestMessage;
if (request != null)
{
string extraParam1 = request.GetParameter("myExtraParam1");
string extraParam2 = request.GetParameter("myExtraParam2");
// authenticate token here using custom logic and return ClaimsIdentityCollection...
}
}
}
}
}
解决方案You are confusing 2 concepts here:
- authentication with the STS
- token request
Authentication is done in a token handler (like the one you wrote). The token request is handled in the SecurityTokenService derived class. The STS sees the outcome of the token handler and the RST, the token handler sees the incoming raw security token used to authenticate. These are 2 different things.
If you want to add additional information to the authentication process, you either need a token type that supports that information or help yourself adding some custom headers to the SOAP message (here's an example of a custom token type: http://www.leastprivilege.com/UsingSAMLAsAClientCredentialTypeInWCFUpdatedToWIFRTM.aspx).
这篇关于需要通过Web服务调用将额外参数传递给STS身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
