If you’re using the ASPNETSimpleService sample for investigating Azure’s August release of AppFabric (currently in AppFabric Labs), you might like to know a simple change to enable more action claims.
The sample provides instructions for creating the necessary ‘reverse’ value for the ‘action’ claim in an ACS Rule Group. But what happens if you have more than one ‘action’ claim in the rule group (either by adding or by reusing an existing rule group)? The sample breaks and renders WebException, (401) Unauthorized. What gives?
The client app retrieves a SWT from AppFabric’s ACS and passes it to the web service. The web service (implemented in the sample’s default.aspx) verifies that the SWT contains the ‘reverse’ value of the ‘action’ claim. Unfortunately, the sample expects the SWT to look like:
This SWT will work fine. Notice the claim “action=reverse” at the beginning. If you aren’t aware (I wasn’t), multiple values of an claim are combined and separated by commas. So, if you have another value ‘translate’ for the ‘action’ claim, the SWT will look like this:
And that makes sense. Why include multiple ‘action=<value>’ sections? One simple change to the sample enables it to handle this situation. Around line 90 of the sample’s default.aspx you’ll see
// check for the correct action claim value
This bit of code is requiring that the actionClaimValue (which comes from the SWT) EQUALS the expected value (requiredClaimValue which set to ‘reverse’). In the second SWT above, the value of actionClaimValue will be “reverse,translate” which do not equal “reverse”
Simply changing Equals to use the Contains method fixes the sample. Based on this situation, I don’t think using Equals is a good idea for your apps. Contains is a reasonable alternative, but you may want to use a more rigorous practice.