Search code examples
azureappfabricoauth-2.0accesscontrolservice

OAuth 2.0 Identity Providers in Windows Azure AppFabric Access Control Service (ACS)

OAuth 2.0 delegation is included within the Azure AppFabric Access Control Service:

http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/11/windows-azure-access-control-services-v2-rtw.aspx

But how do you actually set up an OAuth 2.0 identity provider?

In the management interface when you add an Identity Provider and select WS-Federation identity provider, you need to provide a WS-Federation metadata document.

However, when you read the documentation of OAuth 2.0 providers (i.e. http://msdn.microsoft.com/en-us/library/hh243647.aspx) there is no mention of a metadata document (Yes, I know Windows Live is included as a preconfigured identity provider). Is this something I have to write?

Update

Ok, so I've found that you can add additional identity providers using the API, see these PowerShell commands as an example:

http://blogs.msdn.com/b/vbertocci/archive/2011/05/19/adding-a-custom-openid-provider-to-acs-with-just-one-line-of-powershell-code.aspx

However when trying to add an OAuth provider, I just get an error:

Add-IdentityProvider -Type "Manual" -Name "foo" -SignInAddress "http://term.ie/oauth/example/access_token.php" -Protocol OAuth -Namespace "abc" -ManagementKey "xxxxxx"

Add-IdentityProvider : An error occurred while processing this request.
At line:1 char:21
+ Add-IdentityProvider <<<<  -Type "Manual" -Name "foo" -SignInAddress "http://term.ie/oauth/example/access_token.php" -Protocol OAuth -Namespace "abc" -ManagementKey "xxxxxx"
+ CategoryInfo          : CloseError: (:) [Add-IdentityProvider], ServiceManagementException
+ FullyQualifiedErrorId : Microsoft.Samples.DPE.ACS.ServiceManagementTools.PowerShell.IdentityProviders.AddIdentityProviderCommand

Another Update

The ACS Management API provides a mechanism for adding new Identity Providers (if you set OpenId as your WebSSOProtocolType), however, I can't see how you pass in the key/secret that the OAuth test server ( http://term.ie/oauth/example/ ) I'm using requires.

http://msdn.microsoft.com/en-us/library/hh278947.aspx

Solution

  • In an email conversation I had with Dominick Baier (www.leastprivilege.com) he said:

    ACS actually supports OpenId IdPs – not OAuth. OAuth is used for token requests (delegation tokens typically).

    To add new OpenIds IdP you need to use the management API – Vittorio has a blog post with a sample somewhere. But not all OpenId providers are supported.

    If I understood Dominick's email properly, you cannot use OAuth in this capacity, you have to use OpenId. Unfortunately the guy who wrote the first blog article you mentioned really doesn't know anything about OpenID/OpenAuth -- he's a WS-Fed guy. I say that because I wrote it... :)