How to develop user-authenticated REST service with Azure ACS

Asked 3/10, 2011 at 20:55 Answered 4/10, 2011 at 5:42

I'm developing a REST service that uses MS Azure Access Control Service for authentication. If the examples are any indication, the typical way to secure a REST service this way would be to provide a global username and pw, private key, or X.509 cert for the protected service. However, I want to use the passive user login mechanism on a mobile device with a flow more like the following:

Unauthenticated user attempts to access protected service from app
Mobile app redirects to browser app (or embedded browser)
User selects identity provider to use for login (facebook, google, etc.) from ACS login page
User enters credentials for identity provider
Browser redirects back to app
App somehow gets the SWT token to use with subsequent REST requests.

I'm stuck at about step 5--getting the SWT token, and the existing examples I've found don't seem to address this scenario. In addition, I'm actually trying to build a proof of concept with a desktop client in WPF, which may complicate things. Can anyone suggest a specific tutorial or a path to pursue that uses the per-user authentication vs. per-service? Thanks.

EDIT: As I'm digging into this deeper, I've realized that the examples posted below (and most others) are based on OAuth WRAP, which has been deprecated in favor of OAuth 2.0. Can anyone suggest a more up to date reference? Googling has turned up http://blogs.msdn.com/b/adventurousidentity/archive/2011/09/18/acs-v2-oauth-2-0-delegation-support-explained.aspx and http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=32719 but they're not the most intuitive.

Vandyke answered 3/10, 2011 at 20:55 Comment(1)

I updated my answer. Basically switching from OAuth WRAP to OAuth2 is not that hard. – Quickman 5/10, 2011 at 1:53

You should look into the ACS Windows Phone sample:

http://msdn.microsoft.com/en-us/library/gg983271.aspx

Here instead of using Silverlight you will be using WPF. Most of the code should be re-usable. Note that since you are using WPF you will need to register your own object for scripting e.g:

[ComVisibleAttribute(true)]
public class NotifyHandler
{
    public void Notify(string notifyString)
    {
        // Here I have the token.
    }
}

this.webBrowser1.ObjectForScripting = new NotifyHandler();

Update:

The sample above uses OAuth Wrap to contact the secured service. If you would like to use OAuth2 you should change the way the "Authorization" header set:

OAuth WRAP case:

 WebClient client = new WebClient();
 client.Headers["Authorization"] = "OAuth " + _rstrStore.SecurityToken;

OAuth2 case:

 WebClient client = new WebClient();
 client.Headers["Authorization"] = string.Format("OAuth2 access_token=\"{0}\"", token);

You can use the "Simple Service" sample as a guide to implement your token validation in your REST service:

http://msdn.microsoft.com/en-us/library/gg185911.aspx

Yet if you would like to implement a more complete sample you can look at how CustomerInformationService is protected in the CTP version 1.4:

https://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=35417

Quickman answered 4/10, 2011 at 0:11 Comment(4)

Thanks. I've been looking at that one. I just didn't understand what was happening until I found the author's blog post on it just now in this similar question: #4970255. I also had complicated things by using NetFX SWT support for WIF on the server side, which was eating my tokens before they could be received on the client side. – Vandyke 4/10, 2011 at 16:2

I'm more confused than ever now. Is the CustomerInformationService sample not up to date with the latest OAuth spec (tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4.2)? The auth code request parameters don't seem to match up. I can't find any consistency in the examples. Are any of you actually using OAuth 2 with ACS? – Vandyke 5/10, 2011 at 19:15

where are you getting "OAuth2 access_token" from? In the OAuth 2 examples you reference, they're using: client.Headers["Authorization"] = OAuth " + _rstrStore.SecurityToken AFAIK. Am I missing something here? – Vandyke 5/10, 2011 at 19:46

To clarify on the examples. The OAuth2 spec has been moving forward. So while in the samples OAuth2 clients and servers are consistant, they do not fully follow the latest OAuth2 spec. The token is coming from the browser. You should look at AccessControlServiceSignIn.xaml.cs, SignInWebBrowserControl_ScriptNotify. – Quickman 5/10, 2011 at 22:5

Take a look at this one:

WPF Application With Live ID, Facebook, Google, Yahoo!, Open ID http://social.technet.microsoft.com/wiki/contents/articles/4656.aspx

Dovev answered 4/10, 2011 at 5:42 Comment(3)

Thanks Alik. That does seem to answer the question for the WPF demo case. I'm marking Atacan's response as the answer only because it represents my final goal better (mobile as well as WPF). – Vandyke 4/10, 2011 at 16:6

Alik can you elaborate a little on how the Notify method is supposed to get called from the browser? I'm not seeing this happen. I assume I need to add some script to the response? – Vandyke 4/10, 2011 at 18:4

This is how you do it in WPF app: (blogs.msdn.com/b/alikl/archive/2011/09/09/…) (blogs.msdn.com/b/alikl/archive/2011/09/12/…) – Dovev 10/10, 2011 at 22:58

Recommended topics

Hot tags