Tutorial: How to leverage Access Control Service using Ruby gem
 
 
 
Overview

This tutorial explains how developers can easily use the AppFabric Ruby gem to write Ruby applications that use the Access Control Services provided by the AppFabric.
 
For more information about AppFabric ACS please refer to MSDN documenation
.The Ruby gem provides the following interfaces:
  • Retrieve different types of tokens from ACS
  • Validate ACS Token
  • Validate Claims
 
The following sections provide examples of the above functionality. Once you have installed the gem, you can follow the examples below.
 
Go to Top
 
Retrieving Token from ACS

The following code snippet demonstrates how to use the gem to get different ACS Tokens.
 
We first create a Scope object, which represents what kind of token we desire. In this case we want a SimpleApiAuth token. ACS requires the requestor to provide scope name and issuer key values to produce the token.
 
Note that all ACS management functions can be achieved using the ACM tool provided by the .NET SDK for Microsoft AppFabric (Nov 2009 CTP Release). More information about the ACM tool can be found under Access Control samples provided along with that SDK under the following path “{Installation folder of .NET SDK}\Samples\AccessControl\ExploringFeatures\Management\AcmTool\Readme.htm”
  
  #Sample settings in the config file:

  simple_api_auth:
     wrap_name: infocorp
     wrap_password: eFBmEieKwRht6W6bSTuKLG8pTTVudbHmkjzJ++DukFc=
     applies_to: http://localhost/SalesDashboard/
     solution_name: rubyservice
     service_name: WRAPv0.8
     trusted_key: 8BnYYu87bCuaAxDrwTGJg39ZeOqFFepFo4=

  proxy:
     http_web_proxy_server: itgproxy.redmond.corp.microsoft.com
     http_web_proxy_port: 80
 
  type_token:
     issuer_name: owner
     issuer_key: Jtt77GMAGljdnTXqvHlwijwGobEJXfT4+xlXAnLQoB4=
     rest_applies_to: http://rubyservice.servicebus.windows.net/whatver/
     rest_request_uri: https://rubyservice-
           sb.accesscontrol.windows.net/WRAPv0.8/
  
    saatp = SimpleApiAuthTokenProvider.new(wrap_name, wrap_password)
    request_uri = "https://#{solution_name}.#
        {DotNetServicesEnvironment.acm_host_name}/#{service_name}/"
    token_info = saatp.token(request_uri, simple_api_auth_applies_to)
    token_info.token
 
Result:
 
 
Go to Top
 
Token Validation
 
We can use ACS tokens for validating requests from client applications. One way to achieve this is retrieving the token as described above and passing it in the header to the service application. The service application will serve only the requests that have valid tokens in their headers.
 
TokenValidator#validate method returns true if the passed token is valid. The function requires the signing key (obtained from ACS while creating service) for validation.
  
    tv = TokenValidator.new(service_name, trusted_service, trusted_audience, 
         trusted_signing_key, token)
   tv.validate # returns boolean
 
Go to Top
 
Validating Claims
 
Tokens contain claims that can be used to track the access rights of the requestor. Suppose we have a Create Order Service that provides services like addition of new Sales Order. A request for addition should have a token that has claims required for addition. E.g. CreateOrder = true.
 
We can now use the TokenValidator#ValidateClaims to check if the client has the claims necessary for getting the desired service.
 
The following code will return true if the token has claims “CreateOrder =true”
  
     tv = TokenValidator.new(service_name, trusted_service, trusted_audience, 
         trusted_signing_key, token)
     expected_claims = {"CreateOrder"=>"true"}
     tv.validate_claims(expected_claims) # returns boolean
 
Following are the ACS tokens and various credentials for each of these types:
  • Simple API Auth token
    • Wrap Name
    • Wrap Password
  • Simple web token
    • Issuer Name
    • Issuer Secret
  • Shared secret token
    • Issuer name
    • Issue Secret
  • SAML token
    • Issuer name
    • Issue Secret
 
Acquiring Different Types of Tokens
 
Simple API Auth: Acquiring SimpleAPIAuth token using getACSToken() of class SimpleApiAuthService.
  
   saatp = SimpleApiAuthTokenProvider.new(wrap_name, wrap_password)
   request_uri = "https://#{solution_name}.#
       {DotNetServicesEnvironment.acm_host_name}/#{service_name}/"
   token_info = saatp.token(request_uri, simple_api_auth_applies_to)
   token_info.token
 
Shared Secret Key: Acquiring SharedSecretKey token using getACSToken() from class SharedSecret.
  
   sstp = SharedSecretTokenProvider.new(issuer_name, issuer_key, http_web_proxy)
   request_uri = config['type_token']['rest_request_uri']
   applies_to = config['type_token']['rest_applies_to']
   token_info = sstp.token(request_uri, applies_to)
   token_info.token
 
Simple Web Token: Acquiring SimpleWebToken using getACSToken()from class SWT
  
   simple_web_token_provider = SimpleWebTokenProvider.new(issuer_name, 
      issuer_key, http_web_proxy)
   token_info = simple_web_token_provider.token(request_uri, applies_to)
   token_info.token
 
Go to Top