mono/mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/ClientCredentialsSecurityTokenManager.cs

//-----------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------

namespace System.ServiceModel
{
    using System.Collections.Generic;
    using System.IdentityModel.Selectors;
    using System.IdentityModel.Tokens;
    using System.Net;
    using System.Security.Authentication.ExtendedProtection;
    using System.Security.Cryptography.X509Certificates;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Description;
    using System.ServiceModel.Security;
    using System.ServiceModel.Security.Tokens;
    using System.Xml;
    using System.IdentityModel.Protocols.WSTrust;
    using SafeFreeCredentials = System.IdentityModel.SafeFreeCredentials;

    public class ClientCredentialsSecurityTokenManager : SecurityTokenManager
    {
        ClientCredentials parent;

        public ClientCredentialsSecurityTokenManager(ClientCredentials clientCredentials)
        {
            if (clientCredentials == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentials");
            }
            this.parent = clientCredentials;
        }

        public ClientCredentials ClientCredentials
        {
            get { return this.parent; }
        }

        string GetServicePrincipalName(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            IdentityVerifier identityVerifier;
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
            if (securityBindingElement != null)
            {
                identityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier;
            }
            else
            {
                identityVerifier = IdentityVerifier.CreateDefault();
            }
            EndpointIdentity identity;
            identityVerifier.TryGetIdentity(targetAddress, out identity);
            return SecurityUtils.GetSpnFromIdentity(identity, targetAddress);
        }

        SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            InitiatorServiceModelSecurityTokenRequirement sspiCredentialRequirement = new InitiatorServiceModelSecurityTokenRequirement();
            sspiCredentialRequirement.TargetAddress = initiatorRequirement.TargetAddress;
            sspiCredentialRequirement.TokenType = ServiceModelSecurityTokenTypes.SspiCredential;
            sspiCredentialRequirement.Via = initiatorRequirement.Via;
            sspiCredentialRequirement.RequireCryptographicToken = false;
            sspiCredentialRequirement.SecurityBindingElement = initiatorRequirement.SecurityBindingElement;
            sspiCredentialRequirement.MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion;
            ChannelParameterCollection parameters;
            if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
            {
                sspiCredentialRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
            }
            SecurityTokenProvider sspiTokenProvider = this.CreateSecurityTokenProvider(sspiCredentialRequirement);
            SecurityUtils.OpenTokenProviderIfRequired(sspiTokenProvider, TimeSpan.Zero);
            SspiSecurityToken sspiToken = (SspiSecurityToken) sspiTokenProvider.GetToken(TimeSpan.Zero);
            SecurityUtils.AbortTokenProviderIfRequired(sspiTokenProvider);
            return sspiToken;
        }

        SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool negotiateTokenOnOpen = (sspiChannelParameter == null ? true : sspiChannelParameter.GetTokenOnOpen);
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext issuerBindingContext = initiatorRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            SpnegoTokenProvider spnegoTokenProvider = new SpnegoTokenProvider(sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null, securityBindingElement);
            SspiSecurityToken clientSspiToken = GetSpnegoClientCredential(initiatorRequirement);
            spnegoTokenProvider.ClientCredential = clientSspiToken.NetworkCredential;
            spnegoTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress;
            spnegoTokenProvider.AllowedImpersonationLevel = parent.Windows.AllowedImpersonationLevel;
            spnegoTokenProvider.AllowNtlm = clientSspiToken.AllowNtlm;
            spnegoTokenProvider.IdentityVerifier = localClientSettings.IdentityVerifier;
            spnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            // if this is not a supporting token, authenticate the server
            spnegoTokenProvider.AuthenticateServer = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty);
            spnegoTokenProvider.NegotiateTokenOnOpen = negotiateTokenOnOpen;
            spnegoTokenProvider.CacheServiceTokens = negotiateTokenOnOpen || localClientSettings.CacheCookies;
            spnegoTokenProvider.IssuerBindingContext = issuerBindingContext;
            spnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
            spnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            spnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            spnegoTokenProvider.TargetAddress = targetAddress;
            spnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault<Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
            spnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find<ChannelProtectionRequirements>() : null;
            spnegoTokenProvider.InteractiveNegoExLogonEnabled = this.ClientCredentials.SupportInteractive;
            
            return spnegoTokenProvider;
        }

        SecurityTokenProvider CreateTlsnegoClientX509TokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            InitiatorServiceModelSecurityTokenRequirement clientX509Requirement = new InitiatorServiceModelSecurityTokenRequirement();
            clientX509Requirement.TokenType = SecurityTokenTypes.X509Certificate;
            clientX509Requirement.TargetAddress = initiatorRequirement.TargetAddress;
            clientX509Requirement.SecurityBindingElement = initiatorRequirement.SecurityBindingElement;
            clientX509Requirement.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            clientX509Requirement.RequireCryptographicToken = true;
            clientX509Requirement.MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion;
            clientX509Requirement.KeyUsage = SecurityKeyUsage.Signature;
            clientX509Requirement.KeyType = SecurityKeyType.AsymmetricKey;
            clientX509Requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output;
            ChannelParameterCollection parameters;
            if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
            {
                clientX509Requirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
            }
            return this.CreateSecurityTokenProvider(clientX509Requirement);
        }

        SecurityTokenAuthenticator CreateTlsnegoServerX509TokenAuthenticator(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            InitiatorServiceModelSecurityTokenRequirement serverX509Requirement = new InitiatorServiceModelSecurityTokenRequirement();
            serverX509Requirement.TokenType = SecurityTokenTypes.X509Certificate;
            serverX509Requirement.RequireCryptographicToken = true;
            serverX509Requirement.SecurityBindingElement = initiatorRequirement.SecurityBindingElement;
            serverX509Requirement.MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion;
            serverX509Requirement.KeyUsage = SecurityKeyUsage.Exchange;
            serverX509Requirement.KeyType = SecurityKeyType.AsymmetricKey;
            serverX509Requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input;
            ChannelParameterCollection parameters;
            if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
            {
                serverX509Requirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
            }
            SecurityTokenResolver dummy;
            return this.CreateSecurityTokenAuthenticator(serverX509Requirement, out dummy);
        }

        SspiIssuanceChannelParameter GetSspiIssuanceChannelParameter(SecurityTokenRequirement initiatorRequirement)
        {
            ChannelParameterCollection channelParameters;
            if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters))
            {
                if (channelParameters != null)
                {
                    for (int i = 0; i < channelParameters.Count; ++i)
                    {
                        if (channelParameters[i] is SspiIssuanceChannelParameter)
                        {
                            return (SspiIssuanceChannelParameter)channelParameters[i];
                        }
                    }
                }
            }
            return null;
        }

        SecurityTokenProvider CreateTlsnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, bool requireClientCertificate)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool negotiateTokenOnOpen = sspiChannelParameter != null && sspiChannelParameter.GetTokenOnOpen;
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext issuerBindingContext = initiatorRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            TlsnegoTokenProvider tlsnegoTokenProvider = new TlsnegoTokenProvider();
            tlsnegoTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress;
            tlsnegoTokenProvider.NegotiateTokenOnOpen = negotiateTokenOnOpen;
            tlsnegoTokenProvider.CacheServiceTokens = negotiateTokenOnOpen || localClientSettings.CacheCookies;
            if (requireClientCertificate)
            {
                tlsnegoTokenProvider.ClientTokenProvider = this.CreateTlsnegoClientX509TokenProvider(initiatorRequirement);
            }
            tlsnegoTokenProvider.IssuerBindingContext = issuerBindingContext;
            tlsnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find<ChannelProtectionRequirements>() : null;
            tlsnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
            tlsnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            tlsnegoTokenProvider.ServerTokenAuthenticator = this.CreateTlsnegoServerX509TokenAuthenticator(initiatorRequirement);
            tlsnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            tlsnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            tlsnegoTokenProvider.TargetAddress = initiatorRequirement.TargetAddress;
            tlsnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault<Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
            return tlsnegoTokenProvider;
        }

        SecurityTokenProvider CreateSecureConversationSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext issuerBindingContext = initiatorRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            ChannelParameterCollection channelParameters = initiatorRequirement.GetPropertyOrDefault<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, null);
            bool isSessionMode = initiatorRequirement.SupportSecurityContextCancellation;
            if (isSessionMode)
            {
                SecuritySessionSecurityTokenProvider sessionTokenProvider = new SecuritySessionSecurityTokenProvider(GetCredentialsHandle(initiatorRequirement));
                sessionTokenProvider.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(initiatorRequirement);
                sessionTokenProvider.IssuedSecurityTokenParameters = initiatorRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                sessionTokenProvider.IssuerBindingContext = issuerBindingContext;
                sessionTokenProvider.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
                sessionTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
                sessionTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
                sessionTokenProvider.TargetAddress = targetAddress;
                sessionTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault<Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
                Uri privacyNoticeUri;
                if (initiatorRequirement.TryGetProperty<Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeUri))
                {
                    sessionTokenProvider.PrivacyNoticeUri = privacyNoticeUri;
                }
                int privacyNoticeVersion;
                if (initiatorRequirement.TryGetProperty<int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
                {
                    sessionTokenProvider.PrivacyNoticeVersion = privacyNoticeVersion;
                }
                EndpointAddress localAddress;
                if (initiatorRequirement.TryGetProperty<EndpointAddress>(ServiceModelSecurityTokenRequirement.DuplexClientLocalAddressProperty, out localAddress))
                {
                    sessionTokenProvider.LocalAddress = localAddress;
                }
                sessionTokenProvider.ChannelParameters = channelParameters;
                sessionTokenProvider.WebHeaders = initiatorRequirement.WebHeaders;

                return sessionTokenProvider;
            }
            else
            {
                AcceleratedTokenProvider acceleratedTokenProvider = new AcceleratedTokenProvider(GetCredentialsHandle(initiatorRequirement));
                acceleratedTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress;
                acceleratedTokenProvider.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(initiatorRequirement);
                acceleratedTokenProvider.CacheServiceTokens = localClientSettings.CacheCookies;
                acceleratedTokenProvider.IssuerBindingContext = issuerBindingContext;
                acceleratedTokenProvider.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
                acceleratedTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
                acceleratedTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
                acceleratedTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
                acceleratedTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
                acceleratedTokenProvider.TargetAddress = targetAddress;
                acceleratedTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault<Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
                Uri privacyNoticeUri;
                if (initiatorRequirement.TryGetProperty<Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeUri))
                {
                    acceleratedTokenProvider.PrivacyNoticeUri = privacyNoticeUri;
                }
                acceleratedTokenProvider.ChannelParameters = channelParameters;
                int privacyNoticeVersion;
                if (initiatorRequirement.TryGetProperty<int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
                {
                    acceleratedTokenProvider.PrivacyNoticeVersion = privacyNoticeVersion;
                }
                return acceleratedTokenProvider;
            }
        }

        SecurityTokenProvider CreateServerX509TokenProvider(EndpointAddress targetAddress)
        {
            X509Certificate2 targetServerCertificate = null;
            if (targetAddress != null)
            {
                parent.ServiceCertificate.ScopedCertificates.TryGetValue(targetAddress.Uri, out targetServerCertificate);
            }
            if (targetServerCertificate == null)
            {
                targetServerCertificate = parent.ServiceCertificate.DefaultCertificate;
            }
            if ((targetServerCertificate == null) && (targetAddress.Identity != null) && (targetAddress.Identity.GetType() == typeof(X509CertificateEndpointIdentity)))
            {
                targetServerCertificate = ((X509CertificateEndpointIdentity)targetAddress.Identity).Certificates[0];
            }            
            if (targetServerCertificate != null)
            {
                return new X509SecurityTokenProvider(targetServerCertificate);
            }
            else
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ServiceCertificateNotProvidedOnClientCredentials, targetAddress.Uri)));
            }
        }

        X509SecurityTokenAuthenticator CreateServerX509TokenAuthenticator()
        {
            return new X509SecurityTokenAuthenticator(parent.ServiceCertificate.Authentication.GetCertificateValidator(), false);
        }

        X509SecurityTokenAuthenticator CreateServerSslX509TokenAuthenticator()
        {
            if (parent.ServiceCertificate.SslCertificateAuthentication != null)
            {
                return new X509SecurityTokenAuthenticator(parent.ServiceCertificate.SslCertificateAuthentication.GetCertificateValidator(), false);
            }

            return CreateServerX509TokenAuthenticator();
        }

        bool IsDigestAuthenticationScheme(SecurityTokenRequirement requirement)
        {
            if (requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty))
            {
                AuthenticationSchemes authScheme = (AuthenticationSchemes)requirement.Properties[ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty];

                if (!authScheme.IsSingleton())
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.HttpRequiresSingleAuthScheme, authScheme));
                }

                return (authScheme == AuthenticationSchemes.Digest);
            }
            else
            {
                return false;
            }
        }

        internal protected bool IsIssuedSecurityTokenRequirement(SecurityTokenRequirement requirement)
        {
            if (requirement != null && requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.IssuerAddressProperty))
            {
                // handle all issued token requirements except for spnego, tlsnego and secure conversation
                if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego
                    || requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation || requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
                {
                    return false;
                }
                else
                {
                    return true;
                }
            }
            return false;
        }

        void CopyIssuerChannelBehaviorsAndAddSecurityCredentials(IssuedSecurityTokenProvider federationTokenProvider, KeyedByTypeCollection<IEndpointBehavior> issuerChannelBehaviors, EndpointAddress issuerAddress)
        {
            if (issuerChannelBehaviors != null)
            {
                foreach (IEndpointBehavior behavior in issuerChannelBehaviors)
                {
                    if (behavior is SecurityCredentialsManager)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.IssuerChannelBehaviorsCannotContainSecurityCredentialsManager, issuerAddress, typeof(SecurityCredentialsManager))));
                    }
                    federationTokenProvider.IssuerChannelBehaviors.Add(behavior);
                }
            }
            federationTokenProvider.IssuerChannelBehaviors.Add(parent);
        }

        SecurityKeyEntropyMode GetIssuerBindingKeyEntropyModeOrDefault(Binding issuerBinding)
        {
            BindingElementCollection bindingElements = issuerBinding.CreateBindingElements();
            SecurityBindingElement securityBindingElement = bindingElements.Find<SecurityBindingElement>();
            if (securityBindingElement != null)
            {
                return securityBindingElement.KeyEntropyMode;
            }
            else
            {
                return parent.IssuedToken.DefaultKeyEntropyMode;
            }
        }

        void GetIssuerBindingSecurityVersion(Binding issuerBinding, MessageSecurityVersion issuedTokenParametersDefaultMessageSecurityVersion, SecurityBindingElement outerSecurityBindingElement, out MessageSecurityVersion messageSecurityVersion, out SecurityTokenSerializer tokenSerializer)
        {
            // Logic for setting version is:
            // 1. use issuer SBE
            // 2. use ITSP
            // 3. use outer SBE
            //

            messageSecurityVersion = null;

            if (issuerBinding != null)
            {
                BindingElementCollection bindingElements = issuerBinding.CreateBindingElements();
                SecurityBindingElement securityBindingElement = bindingElements.Find<SecurityBindingElement>();
                if (securityBindingElement != null)
                {
                    messageSecurityVersion = securityBindingElement.MessageSecurityVersion;
                }
            }

            if (messageSecurityVersion == null)
            {
                if (issuedTokenParametersDefaultMessageSecurityVersion != null)
                {
                    messageSecurityVersion = issuedTokenParametersDefaultMessageSecurityVersion;
                }
                else if (outerSecurityBindingElement != null)
                {
                    messageSecurityVersion = outerSecurityBindingElement.MessageSecurityVersion;
                }
            }

            if (messageSecurityVersion == null)
            {
                messageSecurityVersion = MessageSecurityVersion.Default;
            }

            tokenSerializer = this.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion);
        }

        IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, FederatedClientCredentialsParameters actAsOnBehalfOfParameters)
        {
            if (initiatorRequirement.TargetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }

            EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress;
            Binding issuerBinding = initiatorRequirement.IssuerBinding;

            //
            // If the issuer address is indeed anonymous or null, we will try the local issuer
            //
            bool isLocalIssuer = (issuerAddress == null || issuerAddress.Equals(EndpointAddress.AnonymousAddress));

            if (isLocalIssuer)
            {
                issuerAddress = parent.IssuedToken.LocalIssuerAddress;
                issuerBinding = parent.IssuedToken.LocalIssuerBinding;
            }
            if (issuerAddress == null)
            {
                // if issuer address is still null then the user forgot to specify the local issuer
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsAddressNotSet, initiatorRequirement.TargetAddress)));
            }
            if (issuerBinding == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsBindingNotSet, issuerAddress)));
            }

            Uri issuerUri = issuerAddress.Uri;
            KeyedByTypeCollection<IEndpointBehavior> issuerChannelBehaviors;
            if (!parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out issuerChannelBehaviors) && isLocalIssuer)
            {
                issuerChannelBehaviors = parent.IssuedToken.LocalIssuerChannelBehaviors;
            }

            IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(GetCredentialsHandle(initiatorRequirement));
            federationTokenProvider.TokenHandlerCollectionManager = this.parent.SecurityTokenHandlerCollectionManager;
            federationTokenProvider.TargetAddress = initiatorRequirement.TargetAddress;
            CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, issuerChannelBehaviors, issuerAddress);
            federationTokenProvider.CacheIssuedTokens = parent.IssuedToken.CacheIssuedTokens;
            federationTokenProvider.IdentityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier;
            federationTokenProvider.IssuerAddress = issuerAddress;
            federationTokenProvider.IssuerBinding = issuerBinding;
            federationTokenProvider.KeyEntropyMode = GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding);
            federationTokenProvider.MaxIssuedTokenCachingTime = parent.IssuedToken.MaxIssuedTokenCachingTime;
            federationTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            MessageSecurityVersion issuerSecurityVersion;
            SecurityTokenSerializer issuerSecurityTokenSerializer;
            IssuedSecurityTokenParameters issuedTokenParameters = initiatorRequirement.GetProperty<IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);

            GetIssuerBindingSecurityVersion(issuerBinding, issuedTokenParameters.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out issuerSecurityVersion, out issuerSecurityTokenSerializer);
            federationTokenProvider.MessageSecurityVersion = issuerSecurityVersion;
            federationTokenProvider.SecurityTokenSerializer = issuerSecurityTokenSerializer;
            federationTokenProvider.IssuedTokenRenewalThresholdPercentage = parent.IssuedToken.IssuedTokenRenewalThresholdPercentage;

            IEnumerable<XmlElement> tokenRequestParameters = issuedTokenParameters.CreateRequestParameters(issuerSecurityVersion, issuerSecurityTokenSerializer);
            if (tokenRequestParameters != null)
            {
                foreach (XmlElement requestParameter in tokenRequestParameters)
                {
                    federationTokenProvider.TokenRequestParameters.Add(requestParameter);
                }
            }
            ChannelParameterCollection channelParameters;
            if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters))
            {
                federationTokenProvider.ChannelParameters = channelParameters;
            }

            federationTokenProvider.SetupActAsOnBehalfOfParameters(actAsOnBehalfOfParameters);
            return federationTokenProvider;
        }

        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
        {
            return this.CreateSecurityTokenProvider(tokenRequirement, false);
        }

        internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            SecurityTokenProvider result = null;
            if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result))
            {
                if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                {
                    // this is the uncorrelated duplex case
                    if (parent.ClientCertificate.Certificate == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                    }
                    result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                }
                else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
                {
                    InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
#pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation.
                    string tokenType = initiatorRequirement.TokenType;
                    if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                    {
                        FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement);

                        if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null)
                        {
                            return new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement);
                        }
                        
                        result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters);
                    }
                    else if (tokenType == SecurityTokenTypes.X509Certificate)
                    {
                        if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                        {
                            result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress);
                        }
                        else
                        {
                            if (parent.ClientCertificate.Certificate == null)
                            {
                                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                            }
                            result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                        }
                    }
                    else if (tokenType == SecurityTokenTypes.Kerberos)
                    {
                        string spn = GetServicePrincipalName(initiatorRequirement);
                        result = new KerberosSecurityTokenProviderWrapper(
                            new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)), 
                            GetCredentialsHandle(initiatorRequirement));
                    }
                    else if (tokenType == SecurityTokenTypes.UserName)
                    {
                        if (parent.UserName.UserName == null )
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials)));
                        }
                        result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                    {
                        if (IsDigestAuthenticationScheme(initiatorRequirement))
                        {
                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel);
                        }
                        else
                        {

 #pragma warning disable 618   // to disable AllowNtlm obsolete wanring.      
  
                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential), 
                      
                                parent.Windows.AllowNtlm, 
                                parent.Windows.AllowedImpersonationLevel);
 #pragma warning restore 618 
                   
                        }
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
                    {
                        result = CreateSpnegoTokenProvider(initiatorRequirement);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, false);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
                    {
                        result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
                    }
                }
            }

            if ((result == null) && !tokenRequirement.IsOptionalToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
            }

            return result;
        }

        bool CardSpaceTryCreateSecurityTokenProviderStub(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider)
        {
            return InfoCardHelper.TryCreateSecurityTokenProvider(tokenRequirement, clientCredentialsTokenManager, out provider);
        }

        protected SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityVersion version)
        {
            if (version == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("version"));
            }
            return this.CreateSecurityTokenSerializer(MessageSecurityTokenVersion.GetSecurityTokenVersion(version, true));
        }

        public override SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityTokenVersion version)
        {
            if (version == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("version");
            }

            if (this.parent != null && this.parent.UseIdentityConfiguration)
            {
                return this.WrapTokenHandlersAsSecurityTokenSerializer(version);
            }

            MessageSecurityTokenVersion wsVersion = version as MessageSecurityTokenVersion;
            if (wsVersion != null)
            {
                return new WSSecurityTokenSerializer(wsVersion.SecurityVersion, wsVersion.TrustVersion, wsVersion.SecureConversationVersion, wsVersion.EmitBspRequiredAttributes, null, null, null);
            }
            else
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateSerializerForVersion, version)));
            }
        }

        private SecurityTokenSerializer WrapTokenHandlersAsSecurityTokenSerializer(SecurityTokenVersion version)
        {
            TrustVersion trustVersion = TrustVersion.WSTrust13;
            SecureConversationVersion scVersion = SecureConversationVersion.WSSecureConversation13;
            SecurityVersion securityVersion = SecurityVersion.WSSecurity11;
            foreach (string securitySpecification in version.GetSecuritySpecifications())
            {
                if (StringComparer.Ordinal.Equals(securitySpecification, WSTrustFeb2005Constants.NamespaceURI))
                {
                    trustVersion = TrustVersion.WSTrustFeb2005;
                }
                else if (StringComparer.Ordinal.Equals(securitySpecification, WSTrust13Constants.NamespaceURI))
                {
                    trustVersion = TrustVersion.WSTrust13;
                }
                else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversationFeb2005Constants.Namespace))
                {
                    scVersion = SecureConversationVersion.WSSecureConversationFeb2005;
                }
                else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversation13Constants.Namespace))
                {
                    scVersion = SecureConversationVersion.WSSecureConversation13;
                }
            }

            securityVersion = FederatedSecurityTokenManager.GetSecurityVersion(version);

            //
            // 


            SecurityTokenHandlerCollectionManager sthcm = this.parent.SecurityTokenHandlerCollectionManager;
            WsSecurityTokenSerializerAdapter adapter = new WsSecurityTokenSerializerAdapter(sthcm[SecurityTokenHandlerCollectionManager.Usage.Default], securityVersion, trustVersion, scVersion, false, null, null, null);
            return adapter;
        }

        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            outOfBandTokenResolver = null;
            SecurityTokenAuthenticator result = null;

            InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
            if (initiatorRequirement != null)
            {
                string tokenType = initiatorRequirement.TokenType;
                if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                {
                    return new GenericXmlSecurityTokenAuthenticator();
                }
                else if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (initiatorRequirement.IsOutOfBandToken)
                    {
                        // when the client side soap security asks for a token authenticator, its for doing
                        // identity checks on the out of band server certificate
                        result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
                    }
                    else if (initiatorRequirement.PreferSslCertificateAuthenticator)
                    {
                        result = CreateServerSslX509TokenAuthenticator();
                    }
                    else
                    {
                        result = CreateServerX509TokenAuthenticator();
                    }
                }
                else if (tokenType == SecurityTokenTypes.Rsa)
                {
                    result = new RsaSecurityTokenAuthenticator();
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    result = new KerberosRequestorSecurityTokenAuthenticator();
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation
                    || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego
                    || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego
                    || tokenType == ServiceModelSecurityTokenTypes.Spnego)
                {
                    result = new GenericXmlSecurityTokenAuthenticator();
                }
            }
            else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                // uncorrelated duplex case
                result = CreateServerX509TokenAuthenticator();
            }

            if (result == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }

            return result;
        }

        SafeFreeCredentials GetCredentialsHandle(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            return sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null;
        }

        /// <summary>
        /// Looks for the first FederatedClientCredentialsParameters object in the ChannelParameterCollection
        /// property on the tokenRequirement.
        /// </summary>
        internal FederatedClientCredentialsParameters FindFederatedChannelParameters(SecurityTokenRequirement tokenRequirement)
        {
            FederatedClientCredentialsParameters issuedTokenClientCredentialsParameters = null;

            ChannelParameterCollection channelParameterCollection = null;
            if (tokenRequirement.TryGetProperty<ChannelParameterCollection>(
                                     ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty,
                                     out channelParameterCollection))
            {
                if (channelParameterCollection != null)
                {
                    foreach (object obj in channelParameterCollection)
                    {
                        issuedTokenClientCredentialsParameters = obj as FederatedClientCredentialsParameters;
                        if (issuedTokenClientCredentialsParameters != null)
                        {
                            break;
                        }
                    }
                }
            }
            return issuedTokenClientCredentialsParameters;
        }

        internal class KerberosSecurityTokenProviderWrapper : CommunicationObjectSecurityTokenProvider
        {
            KerberosSecurityTokenProvider innerProvider;
            SafeFreeCredentials credentialsHandle;
            bool ownCredentialsHandle = false;
            
            public KerberosSecurityTokenProviderWrapper(KerberosSecurityTokenProvider innerProvider, SafeFreeCredentials credentialsHandle)
            {
                this.innerProvider = innerProvider;
                this.credentialsHandle = credentialsHandle;
            }

            public override void OnOpening()
            {
                base.OnOpening();
                if (this.credentialsHandle == null)
                {
                    this.credentialsHandle = SecurityUtils.GetCredentialsHandle("Kerberos", this.innerProvider.NetworkCredential, false);
                    this.ownCredentialsHandle = true;
                }
            }

            public override void OnClose(TimeSpan timeout)
            {
                base.OnClose(timeout);
                FreeCredentialsHandle();
            }

            public override void OnAbort()
            {
                base.OnAbort();
                FreeCredentialsHandle();
            }

            void FreeCredentialsHandle()
            {
                if (this.credentialsHandle != null)
                {
                    if (this.ownCredentialsHandle)
                    {
                        this.credentialsHandle.Close();
                    }
                    this.credentialsHandle = null;
                }
            }

            internal SecurityToken GetToken(TimeSpan timeout, ChannelBinding channelbinding)
            {
                return new KerberosRequestorSecurityToken(this.innerProvider.ServicePrincipalName, 
                    this.innerProvider.TokenImpersonationLevel, this.innerProvider.NetworkCredential,
                    SecurityUniqueId.Create().Value, this.credentialsHandle, channelbinding);
            }
            protected override SecurityToken GetTokenCore(TimeSpan timeout)
            {
                return this.GetToken(timeout, null);
            }
        }
    }
}