CODEWITHSUNDEEP
authenticationazureoauthswtservicebus
Vincent-Philippe Lauzon
Vincent-Philippe Lauzon

Reputation: 869

Azure Bus, TokenProvider with ACS Service Identity, using password

I am using the Azure Bus for messaging. We are configuring ACS with proper security practice, i.e. with different relying parties representing different topics & subscriptions.

We are using ACS Service Identity to access the bus. So far we were using a symmetric key but we are moving to use passwords with those identities.

I am failing to find a way to setup a TokenProvider (to pass to a MessagingFactory) to authenticate my Service Identities.

I've tried:

        var serviceUri = ServiceBusEnvironment.CreateServiceUri(
            "sb",
            serviceBusNamespace,
            string.Empty);
        var tokenProvider = TokenProvider.CreateOAuthTokenProvider(
            new[] { serviceUri },
            new NetworkCredential(serviceIdentityName, serviceIdentityPassword));

which throws, complaining about "timeout elapsed upon attempting to obtain a token while accessing 'https://XYZ.servicebus.windows.net/$STS/OAuth/'.". I know that url isn't the endpoint for o-auth ; I don't know why it's trying to go there.

So I've tried:

        var tokenProvider = TokenProvider.CreateOAuthTokenProvider(
            new[] { new Uri("https://XYZ-sb.accesscontrol.windows.net/v2/OAuth2-13") },
            new NetworkCredential(serviceIdentityName, serviceIdentityPassword));

which threw with "timeout elapsed upon attempting to obtain a token while accessing 'https://XYZ-sb.accesscontrol.windows.net/v2/OAuth2-13/$STS/OAuth/'."

Again the url isn't good...

So I changed tactic and tried:

        var tokenProvider = TokenProvider.CreateSharedSecretTokenProvider(
            serviceIdentityName,
            serviceIdentityPassword);

To receive the exception "The token provider was unable to provide a security token while accessing 'https://XYZ-sb.accesscontrol.windows.net/WRAPv0.9/'"

So... What is the right incantation to authenticate a service identity using a password?

Upvotes: 0

Views: 1481

Answers (1)

Dhana Krishnasamy
Dhana Krishnasamy

Reputation: 2176

Did you try this

  1. Get Wrap Token from ACS using serviceid/password
  2. Get Signed SWT using the Wrap Token you got in the first step from ACS again
  3. Create a SimpleTokenProvider using the SWT token you got in step 2 (TokenProvider.CreateSimpleWebTokenProvider).

This doc has examples to help you with step 1 and 2. This is bit round about way I guess but if there is a better way, I would like to hear about it. Btw sending just the WRAP token doesn't seem to work.

Upvotes: 1

Related Questions