Customer security is becoming an increasingly important part of Web application development. One key to security, particularly in credit-card and other financial transactions, is safer customer identity management.
Microsoft's foray into this field is Windows CardSpace, formerly InfoCard. You can learn the basics in the MSDN video InfoCard explained, in which two members of the CardSpace team spend a lot of time at the whiteboard and explain the tool's architecture.
There are two types of CardSpace information cards -- personal cards, which users create themselves, and managed cards, which are issued by identity providers.
The card itself does not actually contain any personal data. Rather, the card indicates which identity provider must be contacted to obtain the claims to this data. An application requests these claims by issuing a security token; once this happens, the entire transaction is locked down, and no code at all will run.
More details on the process of sending tokens and receiving information is available in the SearchVB.com article Introduction to Windows CardSpace. In addition, sister site SearchWebServices.com has a tip, CardSpace: Microsoft's latest for identity management, which looks at CardSpace's affiliation with Web services standards and how that can make life easy for service providers.
MSDN offers several CardSpace tutorials as well. For example, earlier this year Keith Brown penned A First Look at InfoCard and Step-by-Step Guide to InfoCard. The former looks at the seven laws of identity system and describes how developers can use CardSpace to adhere to those laws; the latter takes a closer look at CardSpace protocols and addresses what kind of trust one should put in the party at the other end of a transaction.
Additional references from Microsoft are available on the Windows CardSpace MSDN page.
CardSpace, WCF and Windows Vista
CardSpace is closely tied to the Windows Communication Foundation, or WCF, which is the .NET Framework 3.0 tool for building Web services and distributed systems. Blogger Vittorio Bertocci describes this relationship in an in-depth post available here.
"The sample presented here demonstrates how a simple WPF application can leverage CardSpace for securing the access to two different WCF web services, prompting the user only once," Bertocci said. His sample puts weather and traffic information on the same map.
Bertocci recently posted a second sample; this one is called Securing a Sidebar Gadget with Windows CardSpace and WCF. The Sidebar is a new UI feature in Windows Vista that allows end users to keep track of regularly updated information through the use of gadgets, which are nothing more than HTML files. Sometimes this info is public -- think football scores, stock quotes or weather reports -- but in some cases it is confidential, and thus simply using the CardSpace HTM Object tag is woefully insufficient.
To do this properly, the Sidebar gadget must instantiate and invoke an ActiveX object that, in turn, creates a new AppDomain, which contains the WCF proxy that is used to invoke the service. "The CardSpace UI pops up, we perform the call, we get back the result, we destroy the new AppDomain, we give back the result to the HTM code," Bertocci states. (Don't worry -- there is lots of sample code.)
Additional information on CardSpace's ties with WCF (along with a nice, diagram-filled refresher on the Windows CardSpace architecture) can be found in the recent MSDN article, Secure Your ASP.NET Apps and WCF Services with Windows CardSpace by Michele Leroux Bustamante. No summary written here can do this article much justice, so instead we will offer a couple very basic snippets.
On ASP.NET applications, Bustamante writes:
For Web applications to support personal or managed card authentication, they must first provide a Web page with an object tag or an XHTML binary behavior describing their information card requirements. Browsers that support these tags and have an information card extension will be able to launch the appropriate identity selector on the client machine for users to select a card.
In the case of Web services built using Windows Communication Foundation, she notes, "This [Windows CardSpace authentication] is done by configuring service endpoints to use WSFederationHttpBinding. This generates a security policy for the service, included in the Web Service Description Language (WSDL) document that indicates it requires personal tokens."
It is also worth noting, Bustamante indicates, that ASP.NET and WCF handle CardSpace authentication claims a little differently.
Beyond .NET 3.0
It should be noted that Windows CardSpace works best with Internet Explorer 7, the .NET Framework 3.0 and Windows Vista. That, however, does not mean it will not work with other technologies.
First, Garrett Serack of the CardSpace has posted on his blog a CardSpace security token for ASP.NET 1.1. Serack did this at the request of Scott Hanselman. "My argument was/is that many folks who have .NET 1.1 ASP.NET applications might want to include integration with CardSpaces without necessarily moving the whole app to .NET 3.0," Hanselman writes in his blog.
Second, Kevin Miller has created a Identity Selector extension for Firefox that supports CardSpace and other identity selection technologies.
Third, there are projects in the works to enable support for CardSpace on Apache and CardSpace on Eclipse. (Thanks to Richard Turner for pointing out these items.)
