I've been learning how to get WS-Federation working without identity, and for the initial set up I used this guide: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-3.0
For the longest time I kept running into an error but, by chance, I found a solution to it which was to include the Microsoft.AspNetCore.DataProtection.Abstractions NuGet package.
This was not mentioned anywhere in the guide and there is only one post I found that ever mentions it in relation to WS-Federation: https://github.com/dotnet/aspnetcore/issues/18639
What does this NuGet package do and why is it required to make WS-Federation work? Is this even the proper way to set it up?
You can find the source code on github here
Effectively, it provides an interface IDataProtector and the IDataProtectionProvider.
namespace Microsoft.AspNetCore.DataProtection
{
/// <summary>
/// An interface that can provide data protection services.
/// </summary>
public interface IDataProtector : IDataProtectionProvider
{
/// <summary>
/// Cryptographically protects a piece of plaintext data.
/// </summary>
/// <param name="plaintext">The plaintext data to protect.</param>
/// <returns>The protected form of the plaintext data.</returns>
byte[] Protect(byte[] plaintext);
/// <summary>
/// Cryptographically unprotects a piece of protected data.
/// </summary>
/// <param name="protectedData">The protected data to unprotect.</param>
/// <returns>The plaintext form of the protected data.</returns>
/// <exception cref="System.Security.Cryptography.CryptographicException">
/// Thrown if the protected data is invalid or malformed.
/// </exception>
byte[] Unprotect(byte[] protectedData);
}
}
namespace Microsoft.AspNetCore.DataProtection
{
/// <summary>
/// An interface that can be used to create <see cref="IDataProtector"/> instances.
/// </summary>
public interface IDataProtectionProvider
{
/// <summary>
/// Creates an <see cref="IDataProtector"/> given a purpose.
/// </summary>
/// <param name="purpose">
/// The purpose to be assigned to the newly-created <see cref="IDataProtector"/>.
/// </param>
/// <returns>An IDataProtector tied to the provided purpose.</returns>
/// <remarks>
/// The <paramref name="purpose"/> parameter must be unique for the intended use case; two
/// different <see cref="IDataProtector"/> instances created with two different <paramref name="purpose"/>
/// values will not be able to decipher each other's payloads. The <paramref name="purpose"/> parameter
/// value is not intended to be kept secret.
/// </remarks>
IDataProtector CreateProtector(string purpose);
}
}
They are both abstractions of some implementation that the WS-Federation is implementating (one or the other or both) or that it is using (Expecting it from some kind of DI container or constructor). In any case, you won't get it to work without it.
The way to set this up is to also install the nuget package from here