Setting Security on a REST-based Service Bus Application
Updated: February 3, 2015
This topic assumes that your application interacts with Service Bus via the Microsoft.ServiceBus.dll assembly and the authentication features available in Azure. In particular, this topic covers applications that use the WebHttpRelayBinding binding, which is the default binding for Web applications.
The relay authentication options for Web clients that are accessing services built on the WebHttpRelayBinding binding have been created to fit the most common scenarios. Most frequently, Web-style clients communicate with services that decide to accept all incoming traffic. These clients perform only lightweight authentication using a variety of custom techniques to enable and enrich AJAX-style user experiences. You can achieve the same result and provide similar fidelity by setting the Security.Transport.RelayAuthenticationType property on the WebHttpRelayBinding binding to None. You can see this option in the Service Bus WebNoAuth relay authentication sample. A simplified procedure for setting this option is described later in this section.
In the service, configure the authentication as required:
Console.Write("Your Key Name: "); string keyName = Console.ReadLine(); Console.Write("Your Key: "); string key = Console.ReadLine(); … TransportClientEndpointBehavior clientBehavior = new TransportClientEndpointBehavior(); clientBehavior.TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(keyName, key);
As with other applications, you can configure the authentication in an App.config file or programmatically.
Set the RelayClientAuthenticationType field to None.
<bindings> <!-- Application Binding --> <webHttpRelayBinding> <binding name="default"> <security relayClientAuthenticationType="None" /> </binding> </webHttpRelayBinding> </bindings>
This allows the service to authenticate with Service Bus (as required), but also enables any client to connect, without authentication required. In this scenario, the App.config file defines the type of security to use for the whole scenario, but the programmatic configuration (in step 1) overrides the App.config file – which is necessary, because it is impossible to have “None” for service authentication.
If you use the RelayAccessToken option for the RelayClientAuthenticationType property, Service Bus provides a security layer over plain HTTP services that require authentication and authorization to be performed before any HTTP traffic is forwarded to the listening service. If Relay authentication is enabled on Service Bus, the required security token can be provided through programmatic credentials.
If you decide to implement programmatic credentials, you can use SAS or any of the authentication options available to Service Bus through the Access Control service, such as shared secret or simple Web tokens. For more information, see How to: Set Security and Authentication on a Service Bus Application. The following procedure shows a simplified procedure for creating a Web token.
Retrieve the issuer name and secret from the user:
Console.Write("Your Issuer Name: "); string issuerName = Console.ReadLine(); Console.Write("Your Issuer Secret: "); string issuerSecret = Console.ReadLine();
Define the transport client credential type as SimpleWebToken:
TransportClientEndpointBehavior behavior = new TransportClientEndpointBehavior(); behavior.CredentialType = TransportClientCredentialType.SimpleWebToken;
Compute and initialize the Web token with a call to ComputeSimpleWebTokenString:
behavior.Credentials.SimpleWebToken.SimpleWebToken = SharedSecretCredential.ComputeSimpleWebTokenString(issuerName, issuerSecret);
When you have created the Web token, you can add the behavior to the endpoint, create the channel factory, and open a channel to Service Bus.