Azure AppFabric ACS Gotchas : Longest Prefix Matching

I recently got bitten by a bit of Access Control Service logic related to the way it identifies which scope to issue claims for.

I have a service namespace foo. My Azure Service Bus scope for this namespace is therefore When I create the solution for this namespace two ACS instances are created. One is which is a general ACS and the other is which is scoped specifically to the Service Bus. This second ACS has a default Token Policy and Scope which I cannot change. NB : this has now changed. When you provision an AppFabric namespace now you can sepecify which services should be available (ACS, Service Bus and Cache). If you specify Service Bus you will get the bus-scoped ACS instance. You only get the generic ACS if you specifically request ACS as a service.

In my Service Bus solution I am exposing endpoints at and I have an issuer (Alice) with claims for the scope who is able to create endpoints at both and I have another issuer (Bob) who is able to send messages to endpoints at both and

I introduce a new issuer (Ivan) to whom I only want to grant access to To this end I create a new scope specifically for and create claims for Ivan in this new scope.

Here’s where I get bitten. Alice can still expose endpoints at and Bob can still send messages to them. Ivan can send messages to but not to which is exactly as intended. However, Alice can no longer expose endpoints at and Bob could not send to them even if she could. The reason for this is that although Alice and Bob have claims for when they try to access anything at they automatically fall into the new scope, for which they have no claims. The ACS matches scopes using the longest possible prefix and if there are no claims it will not check parent scopes.

The solution is simple – add new claims for Alice and Bob in the new scope, but the problem is, at first, counter-intuitive.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: