Please add support for WSTrust

[thuannguy]

Per comments and replies in issue #476, I open this issue to request for WSTrust. While I knew that resources are limited and that the demands for a .Net core version for WSTrust is not as high as other passive profile use cases, this is really the last thing I need in order to port my big web application to Asp.Net Core 😄

[brentschmaltz]

@thuannguy i put this in the vNext milestone. It is not our highest priority, can you let us know why you need it? If others in the community needs this, then that might bump the priority. Are you looking for creating WsTrust messages or just consuming?

[thuannguy]

@brentschmaltz Thank you :smile: In fact, I do all the things related to WSTrust messages: both client applications and WCF services that use WSTrust to do security stuff, and also an STS (similar to ADFS) that issue tokens using WSTrust.

[Mahe85]

@brentschmaltz @thuannguy Hello! finally, there is a WSTrust / STS support for .net core ?

[thuannguy]

I wonder when .NET framework is done, will the team developers be redistributed to other teams to speed up Core support for missing libraries, e.g. this one 😄

[thuannguy]

For reasons for why I need this:

1. I have many big enterprise applications that rely on WSTrust and SAML stacks. I believe I'm not the only one. OAuth/OIDC are good for "modern" applications, but those enterprise stacks won't go away anytime soon.
2. Some features I need won't be supported in .NET framework. When I asked for adding support for the features to the .NET framework, the answer is usually "why I need it", and "we won't add those features to .NET framework but instead will add missing features from .NET framework to core". That makes sense, except point (3) below
3. When I request for new features adding to core, the reply is usually that "we don't have enough resources, and the features are not high priority". As a developer, I can understand that every team has limited resources. The only problem is that I'm stuck 😢

[brentschmaltz]

@thuannguy WSTrust is a large spec: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

I hear you, you need it we used to have it in Desktop.... Can you express a set key features such as:

1. Version 1.3
2. RST/R without secondary parameters
3. Do we need BinarySecrets ?
4. What Bindings? Issuance?
5. etc....

[thuannguy]

@brentschmaltz My product offers all WS-Trust features that ADFS has to offer, plus a few more custom ones, so I guess I will need a whole lot of the spec.

1. Yes, 1.3. We also need one aspect of 1.4, but I don't remember exactly what it is. Maybe something that has to do with OnBehalfOf or ActAs.
2. I never heard about secondary parameters before, so I probably don't need it.
3. We can live without BinarySecrets.
4. Currently we are supporting Certificate binding, IssuedToken, UserName, Windows, Kerberos, and LibertySimpleSoapBinding (a custom one). The current .Net framework gives us enough flexibility to create all those bindings based on the Binding base class.
5. Honestly, I'm not competent enough to know what exact features in the big WS-Trust spec that are actually used by my code. I would be super happy if I have all the above 😋

[brentschmaltz]

@thuannguy thanks, this is a big help in scoping. As you see WS-Trust is a big spec. 1.4 did introduce OBO and ActAs.

Couple of additional scoping questions:

1. I assume you would need full RST/RSTR (inbound / outbound) processing.
2. When you wrote: Binding class, are you speaking to WCF?
3. Are you just communicating with ADFS?
4. Could you prioritize the different bindings? i. Certificate ii. IssuedToken iii. UserName iv. Windows v. Kerberos vi. Extensibility (with this you could do anything).

[thuannguy]

@brentschmaltz hi

1. Yes, you are right.
2. One example for it is https://github.com/IdentityModel/Thinktecture.IdentityModel.40/blob/master/IdentityModel/Thinktecture.IdentityModel/WSTrust/WSTrustBindingBase.cs
3. It does more than that. My product can do all ADFS can and more, e.g. eID profiles based on WS-Trust such as OIO Identity-based Web Services (OIOIDWS) which we are able to support .NET framework by defining a CustomBinding. Anyway, my product can federate with ADFS, or it can replace ADFS totally.
4. I would say i, ii, iii, and ability to define custom bindings. I can live without iv, v and vi.

[brentschmaltz]

@thuannguy the link you have above shows a WCF binding, so it seems like you have a need to craft up a WSTrust message and parse the response. Your app/sdk will be responsible for sending the message.

If we can scope to i., ii., iii. We can help. Can you describe a bit about custom binding? Do you mean Custom WSTrust binding?

It looks like Thinktecture supports trust 1.3 and 2005 (which was an internal microsoft version before the spec was ratified).

[thuannguy]

One example for a custom binding is:

    public class LibertySimpleSoapBinding : CustomBinding
    {
        private SigningAlgorithm signingAlgorithm;
        public LibertySimpleSoapBinding(SigningAlgorithm signingAlgorithm)
        {
            this.signingAlgorithm = signingAlgorithm;
        }

        public override string Scheme
        {
            get
            {
                TransportBindingElement element = this.CreateBindingElements().Find<TransportBindingElement>();

                if (element == null)
                {
                    return string.Empty;
                }

                return element.Scheme;
            }
        }

        public override BindingElementCollection CreateBindingElements()
        {
            var elements = new BindingElementCollection();

            var textmessageEncoding = CreateMessageEncodingBindingElement();
            var messageSecurity = CreateSecurityBindingElement(this.signingAlgorithm);

            elements.Add(messageSecurity);
            elements.Add(textmessageEncoding);
            elements.Add(new HttpsTransportBindingElement());
            return elements.Clone();
        }

        private static AsymmetricSecurityBindingElement CreateSecurityBindingElement(SigningAlgorithm signingAlgorithm)
        {
            MessageSecurityVersion version =
                MessageSecurityVersion
                    .WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;

            var sec = SecurityBindingElement.CreateMutualCertificateBindingElement(version) as AsymmetricSecurityBindingElement;
            if (signingAlgorithm == SigningAlgorithm.Sha256)
                sec.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Sha256;
            sec.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
            return sec;
        }

        private static MessageEncodingBindingElement CreateMessageEncodingBindingElement()
        {
            return new CustomTextMessageBindingElement(
                messageEncoderFactory => new CustomTextMessageEncoderFactory(messageEncoderFactory));
        }
    }

AFAICT, the WSTrust binding is also a form of a custom binding 😄 IIRC, originially .NET had it, then it was removed in version 4.0 (or 4.5?) so Thinktecture had to create that WSTrustBinding.

[brentschmaltz]

@thuannguy yeah those bindings were removed when WIF was integrated into .NET 4.0.

In terms of WCF binding, are you planning on using WCF? The WSTrust message is part of an xml message and is carried in the body. The binding you are showing above is setting the characteristics of the message properties. If you are using WCF, we would need a way to embed the WSTrust message into the Soap envelop before it is signed. WIF used to do that but this library doesn't have much knowledge of WCF.

[thuannguy]

Ah yes, I will need to use WCF. Sorry for not mentioning it. I have used the two together for my product since day one so in my mind they are just one thing (which is definitely not the case).

[brentschmaltz]

@thuannguy ah, we don't have plans for full blown WCF in Core. This library is focusing on .NET Core usage. Are you using Core?

[thuannguy]

Yes, my plan is to migrate to core. It seems to me that some folks are asking for more WCF support in Core. My naive hope was that if in 18 months or 2 years Core have enough WSTrust and WCF supports, that will be a big boost for ones who need to maintain enterprise applications like me.

[brentschmaltz]

@thuannguy that is still up in the air. I will leave this in the 5.x milestone for now.

[thuannguy]

@brentschmaltz whatever it takes! At least there is a chance I will get it out of 14000605 possibilities 😈 Thank you and happy weekend 😄

[kabronkline]

WCF support would be very good to have for large enterprise adoption. +1

[brentschmaltz]

@thuannguy @kabronkline @Mahe85 we are going to move forward on this. The goal is to make it possible for a WCF Client to be able to make a WsTrust call from a .net Core app.

[brentschmaltz]

@thuannguy @kabronkline @Mahe85 we are making some progress on this. I marked it for 5.6.1 release. The topic branch is brentsch/wstrust.

[ndneubauer]

@brentschmaltz Are you able to provide an estimate as to when 5.6.1 will be in a testable form at least? I have a project with dependency on both legacy WCF service calls via WSTrust and .NET Core. Thank you!

[brentschmaltz]

@ndneubauer current POR is for end of November for a preview. Hopefully the preview is a short stop before GA.

[johnthcall]

@brentschmaltz I've looked in your topic branch but don't see support for wstrustchannel, it that pending or would it not be included in initial WSTrust support?

[brentschmaltz]

@johnthcall It's pending. We are focused on SignedHttpRequest, we will get back to WsTrustChannel in about a week

[brentschmaltz]

@johnthcall this work is currently on topic branch brentsch/wstrust

[brentschmaltz]

@thuannguy @johnthcall @kabronkline @Mahe85 @ndneubauer we are closing on this for a preview WCF wsfederation binding release. Now is the time to have a look and see if this feature meets your needs.

[zvolkov]

This would come in handy to glue our newer stuff to legacy stuff that relies on ADFS integration, are you guys planning to release it any time soon?

[zvolkov]

Since MSFT is not responding, posting what I found myself, for other developers' sake:

The changes in brentsch/wstrust topic branch have been merged; WsTrust functionality is available on NuGet as Microsoft.IdentityModel.Protocols.WsTrust (package version 6.7.2-preview-10803222715 and newer).

WS2007HttpBinding and WSFederationHttpBinding are available in System.ServiceModel.Http (package version 4.8.0-preview3.20412 and newer). See WCF issue #4110 for more info.

WSTrustChannelSecurityTokenProvider featured in the topic branch is available in System.ServiceModel.Federation (package version 4.8.0-preview3.20412.3 or newer).

[thuannguy]

@brentschmaltz thank you for implementing the feature. I and my team will look at this next time when we evaluate if we are able to migrate our products to .NET core (we do that like once a year). Please feel free to close this request if other requesters find that the implementation meets their needs.

[MariaCobretti]

how does one make requests to get a token? there is no RequestSecurityToken and WSTrustChannel class

[MariaCobretti]

found my answer https://github.com/dotnet/wcf/issues/4542

[brentschmaltz]

@MariaCobretti we are added WSTrustChannel and WSTrustChannelFactory to WCF see: https://github.com/dotnet/wcf

[MariaCobretti]

you mean you are currently working on it? cause I certainly don't see it right now

[janniksam]

you mean you are currently working on it? cause I certainly don't see it right now

bump. :)

[brentschmaltz]

@janniksam the code has been added to the WCF project a preview release is available.

[thuannguy]

@brentschmaltz Per https://github.com/dotnet/wcf/issues/4542, I thought code is released already (aka not in preview anymore). At least System.ServiceModel.XXX 4.9.0.0 works for me. Could you please elaborate? Is there still another preview release that has even more out of the box support for WSTrust?

[thuannguy]

@brentschmaltz Per dotnet/wcf#4542, I thought code is released already (aka not in preview anymore). At least System.ServiceModel.XXX 4.9.0.0 works for me. Could you please elaborate? Is there still another preview release that has even more out of the box support for WSTrust?

I guess you mean the preview version 4.10.0-preview1.22261.2 which has WSTrustChannelFactory added.

https://github.com/dotnet/wcf/commit/ab9b3c1cb00f558dcd6ac6f3b02663ace5e25750#diff-5154bdab4d937a2d8e7c3553d2a8df7ac2d6231d0d76bbca1c87f4f9e343dabd