Augmenting Security Requests
How can I add some additional information to the request when contacting a token server?
Looking at the schema for a RequestSecurityToken message, there clearly is some extensibility space intended for providing additional information in the request. We'll ignore the fact that the actual schema says that the whole thing is an xs:any and only look at the annotated content model because WCF is a lot more likely to be designed with that content model in mind.
<xs:element name='RequestSecurityToken' type='wst:RequestSecurityTokenType' />
<xs:complexType name='RequestSecurityTokenType' >
<xs:annotation>
<xs:documentation>
Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
<xs:element ref='wst:TokenType' minOccurs='0' />
<xs:element ref='wst:RequestType' />
<xs:element ref='wsp:AppliesTo' minOccurs='0' />
<xs:element ref='wst:Claims' minOccurs='0' />
<xs:element ref='wst:Entropy' minOccurs='0' />
<xs:element ref='wst:Lifetime' minOccurs='0' />
<xs:element ref='wst:AllowPostdating' minOccurs='0' />
<xs:element ref='wst:Renewing' minOccurs='0' />
<xs:element ref='wst:OnBehalfOf' minOccurs='0' />
<xs:element ref='wst:Issuer' minOccurs='0' />
<xs:element ref='wst:AuthenticationType' minOccurs='0' />
<xs:element ref='wst:KeyType' minOccurs='0' />
<xs:element ref='wst:KeySize' minOccurs='0' />
<xs:element ref='wst:SignatureAlgorithm' minOccurs='0' />
<xs:element ref='wst:Encryption' minOccurs='0' />
<xs:element ref='wst:EncryptionAlgorithm' minOccurs='0' />
<xs:element ref='wst:CanonicalizationAlgorithm' minOccurs='0' />
<xs:element ref='wst:ProofEncryption' minOccurs='0' />
<xs:element ref='wst:UseKey' minOccurs='0' />
<xs:element ref='wst:SignWith' minOccurs='0' />
<xs:element ref='wst:EncryptWith' minOccurs='0' />
<xs:element ref='wst:DelegateTo' minOccurs='0' />
<xs:element ref='wst:Forwardable' minOccurs='0' />
<xs:element ref='wst:Delegatable' minOccurs='0' />
<xs:element ref='wsp:Policy' minOccurs='0' />
<xs:element ref='wsp:PolicyReference' minOccurs='0' />
<xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI' use='optional' />
<xs:anyAttribute namespace='##other' processContents='lax' />
</xs:complexType>
Now the question is how to take advantage of that extensibility in the easiest way. By tracing backwards from the point where a RequestSecurityToken is written out, I arrive at finding that the first publicly accessible field controlling that content is IssuedSecurityTokenParameters.AdditionalRequestParameters. AdditionalRequestParameters is just a collection over XmlElement so that clearly lets me put anything I want in there. However, where would an IssuedSecurityTokenParameters get created? Tracing a little bit farther back reveals that a WSFederationHttpBinding creates an IssuedSecurityTokenParameters as part of building the security binding element. The content that gets put into the AdditionalRequestParameters is the TokenRequestParameters from the binding's message security settings. Therefore, we can add some additional information to the request when contacting a token server by writing code that looks like this:
WSFederationHttpBinding binding = new WSFederationHttpBinding();
binding.Security.Message.TokenRequestParameters.Add( ... );
Next time: Scopes of Encryption