What? You haven’t heard of the Web Resource Authorization Protocol (WRAP)?
Well, you’re really missing out. But, not to worry, you can catch up pretty quickly with the cognoscenti by reading the specificiation. Or, you’re in too much of a hurry for that route, here’s a quick excerpt (paraphrased)…
As the internet has evolved, applications increasingly access resources through APIs over HTTP and other web protocols. Many of these are Protected Resources, which require authorization for access. The systems trusted and/or equipped to make authorization decisions may be independent from the Protected Resources for scale and security reasons. The Web Resource Authorization Protocol (WRAP) allows a Protected Resource to delegate responsibility for access authorization to one or more trusted authorities.
In a nutshell, WRAP enables trust delegation for REST web services, and along with technologies like WS-Federation, it further enables identity federation and important high level features that leverage identity federation, such as single sign on. This blog post by Justin Smith, for example, shows how AppFabric Access Control can be federated with version 2 of the Active Directory Federation Services to support single sign on with corporate credentials.
WRAP is essentially a REST analog of WS-Trust. A related specification, Simple Web Token (SWT), defines a simple security token format designed to be used with WRAP, in much the same way that Security Assertion Markup Language (SAML) tokens, X.509 certificates, Kerberos tickets and other security token formats are used with WS-Trust.
AppFabric Access Control is a Security Token Service, as defined in the WS-Trust specification, hosted on Windows Azure. In previous releases, it accepted WS-Trust active token requests and WS-Federation passive token requests. With the November 2009 CTP, it began accepting token requests based on WRAP and SWT. It will support the WS-* protocols again in future releases, however.
The preceding mention of the CTP brings us full circle to the news I announced at the top of the article. If you’ve seen my screen cast on the Dallas integration, or played with the example I published to Code Gallery, you may have noticed that the CTP used WRAP version 0.8. In the next release, it will use WRAP version 0.9, which is different enough from the previous version to make the migration non-trivial.
If you found this post interesting, and would like to follow our progress, I’ll be posting on these topics again in the future. You might want to check out the official Dallas and AppFabric blogs, or the blogs by Dick Hardt, Kim Cameron, Justin Smith, and Maciej (“Ski”) Skierkowski.