OAuth 2.0 Identity Providers in Windows Azure AppFabric Access Control Service (ACS)

Question

OAuth 2.0 delegation is included within the Azure AppFabric Access Control Service:

http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/11/windows-azure-access-control-services-v2-rtw.aspx

But how do you actually set up an OAuth 2.0 identity provider?

In the management interface when you add an Identity Provider and select WS-Federation identity provider, you need to provide a WS-Federation metadata document.

However, when you read the documentation of OAuth 2.0 providers (i.e. http://msdn.microsoft.com/en-us/library/hh243647.aspx) there is no mention of a metadata document (Yes, I know Windows Live is included as a preconfigured identity provider). Is this something I have to write?

---

Update

Ok, so I've found that you can add additional identity providers using the API, see these PowerShell commands as an example:

http://blogs.msdn.com/b/vbertocci/archive/2011/05/19/adding-a-custom-openid-provider-to-acs-with-just-one-line-of-powershell-code.aspx

However when trying to add an OAuth provider, I just get an error:

Add-IdentityProvider -Type "Manual" -Name "foo" -SignInAddress "http://term.ie/oauth/example/access_token.php" -Protocol OAuth -Namespace "abc" -ManagementKey "xxxxxx"

Add-IdentityProvider : An error occurred while processing this request.
At line:1 char:21
+ Add-IdentityProvider <<<<  -Type "Manual" -Name "foo" -SignInAddress "http://term.ie/oauth/example/access_token.php" -Protocol OAuth -Namespace "abc" -ManagementKey "xxxxxx"
+ CategoryInfo          : CloseError: (:) [Add-IdentityProvider], ServiceManagementException
+ FullyQualifiedErrorId : Microsoft.Samples.DPE.ACS.ServiceManagementTools.PowerShell.IdentityProviders.AddIdentityProviderCommand

---

Another Update

The ACS Management API provides a mechanism for adding new Identity Providers (if you set OpenId as your WebSSOProtocolType), however, I can't see how you pass in the key/secret that the OAuth test server ( http://term.ie/oauth/example/ ) I'm using requires.

http://msdn.microsoft.com/en-us/library/hh278947.aspx

Answer 1

In an email conversation I had with Dominick Baier (www.leastprivilege.com) he said:

ACS actually supports OpenId IdPs – not OAuth. OAuth is used for token requests (delegation tokens typically).

To add new OpenIds IdP you need to use the management API – Vittorio has a blog post with a sample somewhere. But not all OpenId providers are supported.

If I understood Dominick's email properly, you cannot use OAuth in this capacity, you have to use OpenId. Unfortunately the guy who wrote the first blog article you mentioned really doesn't know anything about OpenID/OpenAuth -- he's a WS-Fed guy. I say that because I wrote it... :)

Answer 2

OAuth 2 delegation scenario, section 4.1 in draft 13, does not mandate a type of identity provider or any identity provider at all. You just need to do some form of authentication in your web site and redirect to your client's URL with an authentication code.

I recommend taking a look at the Auth 2 delegation sample at:

https://connect.microsoft.com/site1168/Downloads

You will notice that in this sample the authentication of the user is implemented with a place holder code (hard coded username/password). In real world scenario you can use any authentication pattern including Federation with ACS, which would make sense since you are already using ACS for implementing your delegation.