How to use System.IdentityModel in own client-server application
I've got a simple client-server application based on TcpClient/TcpListener and SslStream. Clients can authenticate themselves to the server using a X509Certificate or by sending a user name and password after the SslStream has been established.
WCF makes use of the System.IdentityModel namespace for authentication purposes, but apparently that can be used in arbitrary applications--which sounds interesting. Information on how to do this is sparse though (or my Google foo is weak today).
So, my question is: What do I need to do to integrate System.IdentityModel with my application? I'm not sure if I need all that ClaimSet stuff, but it would be nice if users could log in just using their Windows account or any other provided authentication mechanism. (Unfortunately I can't just switch to WCF but have to use the custom protocol, although I can make some changes to it if necessary.)
Answer
My Google foo was indeed weak. The answer is right behind the link in my question. So here are a couple of links to this blog in case somebody has the same question eventually.
First, you should try to understand "that claim set stuff":
- Claims
- Claim Sets
- Inspecting Claim Sets
- Windows and X509Certificate Claim Sets
- Typical Operations on Claim Sets
Then, you need to know where claim sets come from:
- Authorization Policies, Context and Claims Transformation
- Claims Transformation in WCF
- Authorization Context and Claims Transformation outside of WCF
Armed with this knowledge, it actually becomes quite simple.
If I understand it correctly, the basic workflow would be something like this:
- Client creates a
SecurityTokenusing aSecurityTokenProvider - Client serializes the
SecurityTokenusing aSecurityTokenSerializer - Server deserializes the
SecurityTokenusing aSecurityTokenSerializer - Server creates
IAuthorizationPolicys using aSecurityTokenAuthenticator - Server creates
AuthorizationContextfromIAuthorizationPolicys - Done
Example:
// Create the SecurityTokenProvider
var p = new UserNameSecurityTokenProvider("username", "password");
// Get the SecurityToken from the SecurityTokenProvider
var t = p.GetToken(TimeSpan.FromSeconds(1.0)) as UserNameSecurityToken;
// ... transmit SecurityToken to server ...
// Create the SecurityTokenAuthenticator
var a = new CustomUserNameSecurityTokenAuthenticator(
UserNamePasswordValidator.None);
// Create IAuthorizationPolicies from SecurityToken
var i = a.ValidateToken(t);
// Create AuthorizationContext from IAuthorizationPolicies
var c = AuthorizationContext.CreateDefaultAuthorizationContext(i);
ShowClaims(c.ClaimSets);
For X509SecurityTokens use a X509SecurityTokenProvider/Authenticator. For WindowsSecurityTokens there's a WindowsSecurityTokenAuthenticator but not a provider; instead, use the WindowsSecurityToken constructor:
var t = new WindowsSecurityToken(WindowsIdentity.GetCurrent());
This works quite well. The only thing I omitted so far above is the token serialization. There is a SecurityTokenSerializer class which has one implementation in the .NET framework: the WSSecurityTokenSerializer class which comes with WCF.
Serializing UserNameSecurityTokens and X509SecurityTokens works like a charm (haven't tried deserialization), but WindowsSecurityTokens are apparently not supported by the serializer. This leaves me with the two authentication methods that I already have (certificates and username/password) and, as I didn't want that AuthorizationContext anyway, I'll stick with what I have :)