Share via


Protecting and consuming REST based resources with ACS, WIF, and the OAuth 2.0 protocol

 

ACS (Azure Access Control Service) recently added support for the OAuth 2.0 protocol. If you haven’t heard of it, OAuth is an open protocol that is being developed by members of the identity community to solve the problem of allowing 3rd party applications to access their data without providing their passwords. In order to show how this can be done with WIF and ACS, we have posted a sample on Microsoft Connect that shows an end-to-end scenario.

The scenario in the sample is meant to be as simple as possible to show the power of the OAuth protocol to enable web sites to access resource on behalf of a user without the user providing his or her credentials to that site. In our scenario, Contoso has a web service that exposes customer information that needs to be protected. Fabrikam has a web site and wants users to be able to view their Contoso data directly on it. The user doesn’t have to log in to the Fabrikam site, but gets redirected to a Contoso specific site in order to login and give consent to access data on their behalf.

The Contoso web service requires OAuth access tokens from ACS to be attached to incoming requests. The necessary protocol flow for the Fabrikam web site (in OAuth terms – the web server client), including redirecting the user to login and give consent, requesting access tokens from ACS, and attaching the token to outgoing requests to the service is taken care of under the covers. The sample contains a walkthrough that describes the components in more detail.

Try it out here, and tell us what you think!

Comments

  • Anonymous
    November 29, 2010
    All we have today in WIF is based on SOAP, all right?! As REST is different kind of service, that eliminates the overhead of the SOAP, this API that you show here is to protect REST services using WIF, but with OAuth protocol?!
  • Anonymous
    February 28, 2011
    This seems to be a great sample. I tried it, but nothing is happening when I click on "Populate all data" button.Any suggestions?
  • Anonymous
    March 02, 2011
    Sam,Try using fiddler or other http monitor to see the errors returned attached as query strings. Or run in debug mode to track down teh exception you are getting. You probably configured something wrong. The error message should tell you what's wrong and give you some hints what's off.alikl
  • Anonymous
    March 08, 2011
    The comment has been removed
  • Anonymous
    March 10, 2011
    I have got the authorization code using the following method"AuthorizationServerHelper.GetAuthorizationCode(message.Parameters[OAuthConstants.ClientId], SamplesConfiguration.RelyingPartyApplicationName, username, SamplesConfiguration.IdentityProvider);"Now i need the access token and refresh token to send the further requests. Is there any method which will return the access token and refresh token on the basis of the authorization code.
  • Anonymous
    March 13, 2011
    Jack, AuthorizationServerHelper.GetCodeResponseUri()  can be of some help to you.
  • Anonymous
    March 13, 2011
    ON Consent.aspx.cs, in Submit_Click() , Response.Redirect(redirectUri) is giving me BAD Request 400 error.Any idea what might be causing this.
  • Anonymous
    March 18, 2011
    The sample on Connect has now been updated for the latest labs version of ACS 2.0.Sam, feel free to provide feedback and ask questions on the Connect site (connect.microsoft.com/.../Feedback). Include details to reproduce the issue, including whether you have changed the token expiry time.
  • Anonymous
    March 25, 2011
    Did Sam every figure out his 3-09-2011 1:13 AM issue?  I have encountered precisely that same issue in the Feb 2011 Azure Labs (ACSLabsV2Federation, Step 5).  I note that both the lab and the OAuth sample share a type named ManagementService which creates a wrapper onto the ACS.Management.ManagementService.  Both Sam and I were thus calling the ACS ManagementService REST interface, I think.I must be doing the same thing wrong as Sam.Any and all helps and tips greatly appreciated.
  • Anonymous
    August 07, 2012
    Sam, did you ever found a solution for the Bad Request at the consent -> submit action?I'm getting the same error...
  • Anonymous
    February 05, 2013
    Where did the service go on portal.appfabriclabs.com. The certificate has expired and the Service Bus, Access Control & Caching” link is disabled.