Pass token from MVC to WCF service

Question

I have a MVC app talking to ACS to get token for authentication. It's a claim based application. This works perfectly fine.

I am trying to call WCF service from MVC once authenticated with same taken so that i can use same claims for authorization.

MVC code is as below

    var context = (BootstrapContext)identity.BootstrapContext;
        var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message);
        binding.Security.Message.IssuedKeyType = SecurityKeyType.SymmetricKey;
        binding.Security.Message.EstablishSecurityContext = false;
        binding.Security.Message.IssuerBinding = new WS2007FederationHttpBinding();
        EndpointAddress acsEndPoint = 
    new EndpointAddress("https://ACS namespace/v2/wsfederation");
        binding.Security.Message.IssuerAddress = acsEndPoint;
        binding.Security.Message.IssuedTokenType = "urn:ietf:params:oauth:token-type:jwt";
        ChannelFactory<IService1> factory = 
new ChannelFactory<IService1>(binding, new EndpointAddress("https://localhost/TestWCF/Service1.svc"));
        factory.Credentials.SupportInteractive = false;
        factory.Credentials.UseIdentityConfiguration = true;


        var proxy = factory.CreateChannelWithIssuedToken(context.SecurityToken);
        proxy.GetData(1);

WCF web config is as below

<system.serviceModel>
    <services>
  <service name="TestWCF.Service1">
    <endpoint address="" behaviorConfiguration="webHttpAutoFormat" binding="ws2007FederationHttpBinding"    bindingConfiguration="secureHttpBinding" contract="TestWCF.IService1"/>
    <endpoint address="soap" binding="basicHttpBinding" contract="TestWCF.IService1" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>
  <bindings>
  <ws2007FederationHttpBinding>
    <binding name="secureHttpBinding">
      <security mode="None">
        <message establishSecurityContext="false" issuedKeyType="SymmetricKey" issuedTokenType="urn:ietf:params:oauth:token-        type:jwt">
                      <issuerMetadata address="https://ACS namespace/v2/wstrust/mex"></issuerMetadata>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
  <behaviors>
  <serviceBehaviors>
    <behavior>

      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>

      <serviceDebug includeExceptionDetailInFaults="false"/>
      <serviceCredentials useIdentityConfiguration="true"></serviceCredentials>
      <serviceAuthorization principalPermissionMode="Always" />
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="webHttpAutoFormat">
    </behavior>
  </endpointBehaviors>
  </behaviors>
<protocolMapping>
  <add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
  <serviceActivations>
    <add relativeAddress="Service1.svc" service="TestWCF.Service1" />
  </serviceActivations>
</serviceHostingEnvironment>
</system.serviceModel>

Please note my WCF service is not HTTPS also I am using JWT token from ACS. No certificates.

I get below error

The provided URI scheme 'https' is invalid; expected 'http'. Parameter name: via

Can anyone help?

Answer 1

You are currently initializing your binding with

var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message)

Try changing to

var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential)

From (MSDN - WS Transport With Message Credential):

By default, the wsHttpBinding binding provides HTTP communication. When configured for transport security, the binding supports HTTPS communication. HTTPS provides confidentiality and integrity protection for the messages that are transmitted over the wire. However the set of authentication mechanisms that can be used to authenticate the client to the service is limited to what the HTTPS transport supports. Windows Communication Foundation (WCF) offers a TransportWithMessageCredential security mode that is designed to overcome this limitation. When this security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted messages and to perform the service authentication. However, the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode.

Your web config should have this instead for <ws2007FederationHttpBinding>:

  <ws2007FederationHttpBinding>
    <binding name="secureHttpBinding">
      <security mode="TransportWithMessageCredential">
        <message establishSecurityContext="false" issuedKeyType="SymmetricKey" issuedTokenType="urn:ietf:params:oauth:token-        type:jwt">
                      <issuerMetadata address="https://ACS namespace/v2/wstrust/mex"></issuerMetadata>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>

See also the following answer for some additional info as well: StackOverflow - The provided URI scheme 'https' is invalid; expected 'http'. Parameter name: via