Search

ACS OAuth sample by vu1garis

Active

1
0
Sign in
 to vote
Type: Bug
ID: 672204
Opened: 6/1/2011 8:15:49 AM
Access Restriction: Public
2
Workaround(s)
0
User(s) can reproduce this bug
I am trying to implement passive federation with ACS and Outh and this sample comes tantalisingly close to demonstrating how to do this. What I would like to accomplish is as follows...

1. Client tries to access protected resource
2. Client is routed to ACS to choose a passive identity provider (IP)
3. Client picks proprietary IP-STS or Google etc..
4. Client authenticates with IP
5. IP redirects to ACS where claims are transformed.
6. ACS relying party (configured for SWT) returns an OAuth access token to the client and re-directs to the protected resource.

Saving the token to the session state is ideal for transferring the token to Silverlight via a WCF proxy. I have adapted the existing sample to do exactly this. However what I can't quite figure out is how to inject ACS as the ultimate OAuth authorization token provider between the client and the protected resource? Specifically can Microsoft.IdentityModel.Protocols.OAuth.Client.OAuthClientSettings be configured to allow this?
Details (expand)

Describe the problem that you're having.

Configuring Microsoft.IdentityModel.Protocols.OAuth.Client.OAuthClientSettings to accomplish the above.

What type of impact does this issue have?

Configuration
File Attachments
0 attachments
Sign in to post a comment.
Sign in to post a workaround.
Posted by Pedro Conde on 8/8/2012 at 3:11 AM
vu1garis, can you please post a sample of how you implemented the custom RequestValidator?
Thks in advance
Posted by vu1garis on 6/2/2011 at 3:57 AM
I was able to implement the outlined scenario by replacing the AuthorizationServer in the sample with another website which I federated with ACS via metadata. After upadting SamplesConfiguration.EndUserLoginUrl to point at this site I was able to use the IPs configured for the relying party to authorize access to my protected resource. However the only way to get the OAuth token following sucessful authentication was to add a custom RequestValidator to WebClient. This class effectively replaces the code in OAuthClientSettings_AccessTokenReceived in WebClient Global.asax. Thus I am bypassing OAuthClientSettings.RequestingAccessToken, OAuthClientSettings.AccessTokenReceived and OAuthClientSettings.EndUserAuthorizationFailed and in so doing have lost the OAuth refresh token.
© 2013 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement