To
perform the token decryption, the service will need to be able to
access the private key of the certi?¬?cate.
When the process that hosts the service has been granted access
to the certi?¬?cate, WCF will take care of the rest and do the decryption
with no extra code or con?¬?guration required.
260 CardSpace Implementation
Verifying the Token
WCF also does a lot of work when performing token validation.
The WCF object model ensures the token has not been
corrupted and is well formed. The expiration time of the token is
also checked.
Verifying the token issuer is a bit more involved because it
often depends on the issuers that a Web service trusts. If
Personal Cards will be used, all tokens signed using a RSA
key must be accepted, because every card will have a
unique key. To allow the Web service to use these keys, the
allowUntrustedRsaissuers attribute must be set to true:
allowUntrustedRsaIssuers="true" />
This element is set on the service??™s behavior, as shown in the
previous section. After accepting the token, the signing key can
be used to identify the owner of the card. A scheme for doing
this is discussed in the next chapter.
Pages:
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389