Home » Digital Identity, Things I've Made

Claims Protected Resources and Cardspace

11 December 2007 One Comment

Cardspace can currently be launched from a web page through the use of the object tag, html form and optionally some javascript.  This approach requires rendering an HTML page and some form of user interaction before the Cardspace ID selector is launched.
This works for the typical case of logging into a website, establishing a session and accessing protected web pages.

But what if you just want to protect a file. Or an XML resource like an RSS feed?

In this post I’ll propose an extension which would allow Cardspace to be leveraged to protect resources without the need for a UI to be rendered in the browser.

The scenario I’m proposing works like this: Let’s say I have a file, "fs.png" that I want to protect using claims. I host the file somewhere. This is my "claims protected resource".
Now I want to give you a link to the file so you can download it, but only if you have a good token.

Instead of me giving you a link to the file, I give you a link to an XML document that describes the file along with the claims needed to access it. I’ve called this document a "claims protected resource manifest".
It looks like this:

<claimsProtectedResource>
  <tokenDetails>
    <tokenType value="urn:oasis:names:tc:SAML:1.0:assertion=" />
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</requiredClaim>
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</requiredClaim>
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</requiredClaim>
    <optionalClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</optionalClaim>
     <issuer>http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self</issuer>
  </tokenDetails>
  <targetResource>cprExampleImage.png</targetResource>
  <targetCert>http://www.francisshanahan.com/cardspace/fs.cer</targetCert>
  <claimConsumer>http://www.francisshanahan.com/cardspace/cprConsumer.aspx</claimConsumer>
</claimsProtectedResource>

The XML here consists of a targetResource (the file you’re trying to access) along with details of the token needed to access that file. Very similar to the object tag notation currently in use.

When the web server serves this manifest file, it serves it with a new mime type (application/cpresx-manifest) (I just made this up).

That mime-type is associated with a small shim application that you can download and install here [LINK]. The shim examines the manifest and launches Cardspace to obtain a token. In this case a Self Issued Card token.
Once Cardspace is finished, control returns to the shim which forwards the token along with the identifier of the desired file on to a token consumer service on the server.

The token consumer processes the token and streams down the file you asked for originally.

To test this scenario yourself…

  1. first install the shim application available here [LINK]
  2. Then access the claims protected resource manifest here [LINK]

You’ll need a self-issued card for this example but the model could be used with managed cards also.

In this example, the claim consumer will grant you access to the resource with any card EXCEPT a card with the first name set to "noaccess".

——— TROUBLE SHOOTING ———
This app is just a POC and has little error handling.

If you run access the manifest link and nothing happens, try saving the manifest to disk and running the application from the command line like this:
C:Program FilesFrancis Shanahan[.com]Claims Protected Resource Shim>CPR_Shim mydoc.cpresx

If you’re behind a proxy, add an app.config file with the proxy details to the same folder as CPR_shim.exe. The contents of the app.config file should look like this:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.net>
    <defaultProxy>
      <proxy proxyaddress="http://PutProxyAddressHere:Port" usesystemdefault="False" bypassonlocal="True"/>
    </defaultProxy>   
  </system.net>
</configuration>

Lastly, the shim assumes your system has a default association to the PNG file type. To check this, run the app as before. Then in file explorer, navigate to the Temp folder, on XP it’ll be this:

C:Documents and Settings<USERNAME>Local SettingsTempcprExampleImage.png

If the cprExampleImage.png file is there just double click it. If an "Open With…" dialog pops up, pick an application (like Internet Explorer or Paint) and make sure to click "always do this" checkbox.

After all that you should be in business. Hey, what do you want for a couple of hours work?

——————————————–
This example requires a shim as there’s no such thing as a "claims protected resource manifest" in the current Cardspace spec. I like this pattern as it

  1. Doesn’t require a session on the server
  2. Supports bookmarking and emailing of links through the CPR manifest notion
  3. Extensible to any resource type
  4. Easy deployment, hooking cardspace up with a Mime Type seems to make sense
  5. Abstracts the actual resources from end users and puts claims right in the middle.

I think that this pattern has its uses and would propose that this pattern (maybe not my implementation) be considered as an enhancement to Cardspace in a future release.

Attribution: Many thanks to Dominick Baier of LeastPrivilige.com[LINK] who supplied the Cardspace abstraction on which the shim code is based. [LINK]

One Comment »

  • nathan said:

    I like it, this is a good idea, sort of like RSS is to html but for claims? How’d you trigger cardspace from the shim?

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.