• While my blog was down last week, I finally finished Gears of War. I played thru on hardcore, but had to throttle back to casual to beat the last boss. I’d like to try and finish on hardcore, but I’ve moved on to Dead Rising – another game from last year I never had time to finish. I’m almost done the main play mode, though I understand there are other play modes that get unlocked when you finish it.
• I’m forbidden from buying any new games before Christmas, so Mass Effect, Assassin’s Creed and The Orange Box will have to wait. My next game will either be Blue Dragon, which a friend let me borrow, or R6:Vegas, yet another (but the last) game from last year I never got time to play.
• I’ll skip the “giving thanks” jokes and point out that Visual Studio 2008 and .NET FX 3.5 have shipped.  Soma has the announcement and both Scott Guthrie and Sam Gentile summarize what’s new. The Express editions are available from the new Express Developer Center. The VS SDK doesn’t appear to be released yet, but I’m sure it will be along in due course.
• Speaking of VS SDK, CoDe Magazine did an entire issue on VS Extensibility which you can read online or download as PDF.
• Nick Malik took a bunch of heat back in June for what some thought was a redefinition of Mort, one of the Developer Division personas. Now Paul Vick thinks it’s time to retire the Mort persona, primarily because of the negative connotation the name carries. His suggestion for a replacement is Ben (as in Franklin). And did you notice how similar Paul’s description of Mort is to what Nick described? I’d say some folks owe Nick an apology.
• I said Friday I was going to take a closer look @ OpenID and OAuth. There’s an intro to OpenID on their wiki and Sam Ruby’s OpenID for non-SuperUsers seems to be the canonical source on implementing OpenID on your own blog. Frankly, reading the OpenID intro reminded me a lot of WS-Federation Passive Requestor Profile. Does OpenID have the equivalent of an “active” mode?
• Likewise, the Beginner’s Guide to OAuth series of posts by Eran Hammer-Lahav is a good intro to OAuth. The phrase “Jane notices she is now at a Faji page by looking at the browser URL” from the protocol walkthru makes me worry that OAuth is vulnerable to phishing. Having one of the OAuth authors call phishing victims careless and wishing for Karl Rove to “scare people into being more careful and smarter about what they do online” makes me think my fears are well grounded. I’m thinking maybe OAuth and OpenID aren’t quite ready to nail down WS-*’s coffin.
• In researching OpenID, I came across this presentation hosted on SlideShare. I had never seen SlideShare before – it’s kinda like YouTube for presentations. Sharing basic presentations is kinda lame – there doesn’t appear to be any animation support, so the slides are basically pictures. However, they also support “slidecasting” where you sync slides to an audio file hosted elsewhere. That I like. I have a bunch of old decks + audio, maybe I’ll stick them up there.

• Morning Coffee is late this morning because we went for our Christmas portrait this morning and it took forever. The pictures turned out great though.
• Nick Malik finishes up his series on business operation models by covering the diversification model. Also, Nick’s points about the synergy between a diversified model and the coordinated model are spot on. I happen to be a big fan of those models (aka the models with low standardization) which probably drives some of the  more my “unique” perspectives on SOA.
• Scott Guthrie starts out a new series and future technology, this time it’s ASP.NET MVC Framework that gets the series treatment. The first entry in the series is a general overview. I wonder why there’s no cool code name for the MVC framework? Whatever it’s named, I like the auto routing and action rules – it seems very Rails-inspired.
• Over the weekend, Don Box points out that the REST authentication story “blows chunks”. I’ve recently given up on the reliable part of the original “Secure, Reliable, Transacted Web Services” vision – and I never believed the transacted part. Security, on the other hand, is the one part of that original vision that has worked out IMO. My experience with the WS-* security stack has been pretty good, though Dare Obasanjo thinks that OpenID and OAuth are the final nail in the WS-* coffin.
• Speaking of Dare, he goes on to say WS-* is to REST as Theory is to Practice. He makes the point that “The only times I encounter someone with good things to say about WS-* is if it is their job to pimp these technologies or they have already “invested” in WS-* and want to defend that investment.” I gave up pimping evangelizing technology a while back and I don’t want to be in the position of defending a bad investment, so I’m spending lots of time looking at REST.
• Jesus Rodriguez takes a look at the Managed Services Engine and comes away excited. Jesus is a self-described “strong believer” in SOA governance. I’m a self-described strong disbeliever in SOA governance, so MSE sounds like more of the Worst of Both Worlds to me.
• A little light reading: I pulled Applied Cryptography and A New Kind of Science out of my garage last weekend. Plus my copies of RESTful Web Services and Programming Erlang just arrived yesterday.

I’ve spent the last three days heads down in WCF security and color me massively impressed. I just checked in a prototype that provides customized authentication for a business service. The idea that you could bang up a custom authentication service fairly easily blows my mind.

The cornerstone to this support in WCF is the standard WSFederationHttpBinding. While the binding name implies support for WS-Federation which in turn implies the use of infrastructure like Active Directory Federation Services, the binding also scales down to support simple federation scenarios with a single Security Token Service (aka STS) as defined by WS-Trust. WS-Trust appears similar to Kerberos. If you want to access a service using the federation binding, you first obtain a security token from the associated STS. Tokens contain SAML assertions, which can be standard – such as Name and Windows SID – or entirely custom, which opens up very interesting and flexible security scenarios.

If you want to support multiple authentication systems (windows, certificates, CardSpace, PassportWindows Live ID, etc), STS is perfect because you can centralize the multiple authentication schemes at the STS, which then hands out a standard token the business service understands. Adding a new auth scheme can happen centrally at the STS rather than in each and every service. Support for multiple authentication schemes was the focus of our current prototype and it worked extremely well.

WCF includes a federation sample which is where you should start if you’re interested in this stuff. That scenario includes a chain of two STS’s. Accessing the secure bookstore service requires authenticating against the bookstore STS which in turn requires authenticating against a generic “HomeRealm” STS. Since there are two STS’s, they factored the common STS code into a shared assembly. You can use that common code to build an STS of your own.

For our prototype, we made only minor changes to the common STS code from the sample. In fact, the only significant change we made was to support programmatic selection of the proof key encryption token. In the sample, both the issuer token and the proof key encryption token are hard coded (passed into the base class constructor). The issuer token is used to sign the custom security token so the target service knows it came from the STS. The encryption token is used to – you guessed it – encrypt the token so it can only be used by the target service. Hard-coding the encryption token means you can only use your STS with a single target service. We changed that so the encryption token can be chosen based on the incoming service token request.

Of course, it wasn’t all puppy dogs and ice cream. While I like the config system of WCF, anyone who calls it “easy” is full of it. I’ve spend most of the last three days looking at config files. Funny thing about config files is that they’re hard to debug. So most of my effort over the last few days has been in a cycle of run app / app throws exception / tweak config / repeat. Ugh.

Also, while the federation sample is comprehensive, I wonder why this functionality isn’t in the based WCF platform. For example, the sample includes implementations of RequestSecurityToken and RequestSecurityTokenResponse, the input and output messages of the STS. But I realized that WCF has to have its own implementations of RST and RSTR as well, since it has to send the RST to the STS and process the RSTR it gets in response. A little spelunking revealed the presence of an official WCF implementation of RST and RSTR, both marked internal. I normally fall on the pragmatic side of the internal/public debate, but this one makes little sense to me.

Otherwise, the prototype went smooth as silk and my project teammates were very impressed at how quickly this came together. Several of the project teams we’re working with have identified multiple authentication as the “killer” capability they’re looking to us to provide, so it’s good to know we’re making progress in the right direction.