Share via

Gotcha’s when dealing with WRAP Protocol v0.8 / v0.9

  • Article

If you have downloaded and used the Azure Training kit you may have noticed that some of the samples use the WRAP v0.8 protocol in the Access Control Service demos.  Then if you get some of the sample code from some of the PDC 09 demos, and try to make it work with your Azure Training Kit stuff, they break when it tries to talk to the Access Control Service.

The actual protocol can be found at this link to the WRAP protocol (this is the new one since Google moved the old one) https://oauth-wrap-wg.googlegroups.com/web/WRAP-v0.9.7.2.pdf?gda=xwejEkQAAABFB7PFAFiVedPtjcqT8uuIxscyNBnhXJW2aE8V2gprNBidFvlYqd_ZjmG9h9kh5-pV6u9SiETdg0Q2ffAyHU-dzc4BZkLnSFWX59nr5BxGqA

This is because of some breaking changes between the WRAP V0.8 and V0.9 protocols.  Most of it is around the names of the fields.

The biggest issues you will find if you try to use your WRAP v0.8 based apps in the cloud is that the endpoint is gone. The WRAP endpoint name has changed from https://servicenamespace.accesscontrol.windows.net/WRAPv0.8/ to https://servicenamespace.accesscontrol.windows.net/WRAPv0.9/

The WRAPv0.8 endpoint has been removed.  

For example in v0.8 the applies_to field for determining the URL of the property the SWT applies to has been changed to wrap_scope and things like that. Here is a list of some of them.

WRAP Request changes

Token type field.  In WRAPv0.8, the requester specified the type of token by providing “wrap_swt=[token]” or “wrap_saml=[token]” in the request.  In WRAPv0.9, the user now provides a separate parameter specifying the token type: “wrap_assertion_format=[SWT, SAML]”.  See Section 5.2 of the WRAPv0.9.7.2 document referenced above for more details.

Token field.  In WRAPv0.9, since the token type is a separate parameter (see above item), the token is provided using the “wrap_assertion=[token]” parameter.  See Section 5.2 of the WRAPv0.9.7.2 document for details.

Scope field.  In WRAPv0.9, the “applies_to” field name has been changed to “wrap_scope”.  See Section 5 of the WRAPv0.9.7.2 document for more details.

WRAP Response changes

Expiration field.  In the WRAPv0.9 token, the “wrap_token_expires_in” field name has been changed to “wrap_access_token_expires_in”.  See section 5 of the WRAPv0.9.7.2 document.

Body field.  In the body of the response from ACS upon a token request, the body was previously “wrap_token=[token body]”.  The name has been changed such that the body is now “wrap_access_token=[token body]”.  See Section 5 of the WRAPv0.9.7.2 document.

Issuer in the returned token.  In the November 2009 CTP, the issuer in the token response was the URI of the endpoint that issued the token.  For example, in the November 2009 CTP, if you requested a token from https://servicenamespace.accesscontrol.windows.net/WRAPv0.8/, the issuer in the returned token was https://servicenamespace.accesscontrol.windows.net/WRAPv0.8/.  In this release, the issuer in the returned token is not tied to a specific endpoint (in preparation for future support of multiple-endpoint-issuing tokens), so the response returns https://servicenamespace.accesscontrol.windows.net/.

Authorization (auth) header.  In WRAPv0.8, the auth header appeared as:  Authorization: WRAPv0.8 [token].  In WRAPv0.9, the auth header format is now:  Authorization: WRAP access_token=”[token]”.  See section 4.2 of the WRAPv0.9.7.2 document.