The code at stackoverflow enabled us to get a token from ACS, issued with the symmetrickey type – fit for presentation to an IService – setup with the bindings from the ACS samples for the username token webservice. It’s obviously a minor change to migrate from the certificatebinding, given below, to the usernametoken binding.
This bit of code shows what is happening behind the scenes (with regard to such as interactive mode (not), service credential negotiation (not), and security context setup (not).
We changed it a bit so once again we have ACS issue a cleartext bearer token – by (i) reconfiguring the Relying Party at the console to remove the encryption process, changing the binding for ACS to request a bearer token (vs. symmetric-keyed token) and setting up the channel to the IStringService to note that a bearer token will be presented in the SOAP header.
Obviously, in the implementation of IStringService, when configuring its host, one also needs to tell the channel to expect a bearer token, too:
looking at fiddler we see the interaction with ACS:
the channel between client and server hardly seems simple, though:
if we turn off the ws-security enveloping in the client, we finally get something simple (and pure bearer token, over https):
With the ws-security message-level security model, we get what you’d expect: in the service: