Please help me to understand the following scenario:
The web application is requesting a Token from STS. The STS is Thinktecture Identity server v2. STS is configured with following:
Both webapplication and STS have trust relationship established by installing required certificates .
The Web application uses WS-Trust protocol to request a token using following code:
WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
string.Format(WS_TRUST_END_POINT, identityServer));
string relyingParty = "urn:test:symmetric";
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
RequestSecurityToken rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = TokenTypes.JsonWebToken,
AppliesTo = new EndpointReference(relyingParty),
};
GenericXmlSecurityToken xmlToken = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
SecurityTokenHandlerCollection jwtToken = handlers.ReadToken(new XmlTextReader(new StringReader(xmlToken.TokenXml.OuterXml))) as JwtSecurityToken;
var Identity = handlers.ValidateToken(jwtToken);
The application web.config looks like following:
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<audienceUris>
<add value="urn:test:symmetric"/>
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Tokens.JwtSecurityTokenHandler, System.IdentityModel.Tokens.Jwt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<sessionTokenRequirement lifetime="00:30:00"/>
</add>
<securityTokenHandlerConfiguration>
<issuerTokenResolver type="System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver, System.IdentityModel.Tokens.JWT">
<securityKey symmetricKey="JDQLsrFL1VGBj5GZcAo0Xick4stoHyV5ah0B8RDBUoM=" name="TH_STS"/>
</issuerTokenResolver>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<!-- STS Authority Nodes
-->
<authority name="TH_STS">
<keys>
<add symmetricKey="JDQLsrFL1VGBj5GZcAo0Xick4stoHyV5ah0B8RDBUoM="/>
</keys>
<validIssuers>
<add name="TH_STS"/>
</validIssuers>
</authority>
</issuerNameRegistry>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
I read WIF concepts but I am still struggling to understand the flow. Am I correct to understand following:
- The token requests works on https.
- Trust is established between token requestor (web appplication ) and STS by installing proper certificate.
- The web application requests a token over WS-Trust protocol by including details of username/password, relying party , keytype= bearer and tokentype = JSonwebtoken.
- STS validates the user credentials and creates and sends a JWT token. The token is signed using a symmetric key configured in STS for the mentioned relying party. The claims are not encrypted.
- On receiving the token, web application validates the token by verifying it is coming from the same STS and decrypts the token using the same symmetric key.
Does the above understanding seems correct? Am i missing anything here or anything wrong here?
Also the question is how the symmetric keys are generated ?