consider changing appcontainer loopback exemption utility display of ac-sid values

[robertob]

Currently the fiddler | win8 config -> appcontainer loopback exemption utility display of ac-sid values lists the entries with upper case 'S' prefix.

Within winrt apps when you lookup the callback uri value, containing sid value, using the following api calls it returns the sid value with lower case 's' prefix, e.g. "ms-app://s-<remainder of sid>/".

html/js -> var msappSid = Windows.Security.Authentication.Web.WebAuthenticationBroker.getCurrentApplicationCallbackUri().absoluteUri;

xaml/cs -> var msappSid = Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri().AbsoluteUri;

That callbackUri value containing sid is super important when it comes to aad/acs/adfsV3 provisioning to support signin and token acquisition by native winrt client apps.  We often have people using fiddler as a way to acquire that sid value so they can then construct the ms-app://<sid>/ callbackUri string they ask ops to provision.

q1 - Is it possible to have fiddler ac-sid listing use a lower case "s-" prefix instead of the current upper case "S-" prefix so that when folks use fiddler to acquire their winrt app's callbackUri for onboarding to aad/acs/adfsV3 they don't inadvertently use the upper case 'S-" format from fiddler which causes signin and token acquisitions to fail because its case sensitive?  Alternatively would it be relevant for large number of users to include an ac-callbackUri column populated with "ms-app://s-.../" string value so folks can use fiddler to just grab that value?

q2 - Since winrt apps exist in win8, win81 and soon winVnext dogfood builds would it make sense to change fiddler | "win8 config" button to instead read "winrt config" or "winrt lbe config"?

[EricLaw]

Hi, RobertoB-- Thanks for the feedback!

Do you work for Microsoft by chance? If so, some of your feedback is probably better directed to folks internally.

Just to clarify here, most of your questions aren't really about Fiddler; they're about the EnableLoopback utility which Fiddler includes, but it's not a part of Fiddler itself. The tool is available for download independently of Fiddler.

Fiddler shows the SID in uppercase because that's the canonical form used by Windows and the .NET Framework, which you can see inside SecurityIdentifier.cs's implementation System.Security.Principal.SecurityIdentifier.ToString(). The format is documented by an MS Open Protocol specification which can be found here: http://msdn.microsoft.com/en-us/library/ff632068.aspx.

If the "MS-App" protocol isn't accepting that value case-insensitively, that seems like a pretty clear bug in the MS-App protocol itself. Even the documentation uses the uppercase syntax: http://msdn.microsoft.com/en-us/library/windows/apps/hh750287.aspx

It also seems like the provisioning code could detect and accommodate the URL with a capital S- prefix. I'm not especially opposed to showing the string in lowercase/non-canonical form, but doing so seems like an odd place to try to "fix" this issue.

In Fiddler itself, the name of the button was non-trivial to select due to Microsoft's abject failure to name things properly in the Win8 timeframe. I wouldn't want to name the button "WinRT Config" for two reasons:

  1> Most folks don't know what WinRT is.

  2> WinRT apps account for only a subset of AppContainer scenarios. In particular, IE10+ in Enhanced Protected Mode uses AppContainers.

-Eric

 

[robertob]

Yes i work at the cracker factory and i'll surface some of this feedback in that direction as well.  Thanks for details on the appcontainer [ enable ] loopback exemption utility launch button text.  I understood that utility to be a separately installed bit of functionality but assumed, i guess incorrectly, that it was implemented by you/telerik as well.

[EricLaw]

Oh, I did build the EnableLoopback tool too, I'm merely a bit alarmed that anyone would be installing Fiddler just to get its EnableLoopback utility. :-)

[robertob]

The fiddler client is a staple for debugging federated identity token acquisition flows, especially those carried out by web authentication broker (wab), and so appcontainer enable loopback exemption utility becomes a quick and easy way to grab app's sid versus having to add runtime api call and grab from debug/test run result.

I checked with wab crew and their callbackUri comparison checks are based on Uri type which is case insensitive.  Revisiting the matter it appears the case sensitive comparison issue is in fact arising in custom web app layer code that checked if current client signin was a trusted winrt app and if so generated the wab callbackUri redirect to terminate signin process.  This is only necessary in case of federations with legacy adfsV2 setups and not for aad, acs and adfsV3 that have support for generating the callbackUri redirect.