Using Azure ACS (Access Control Service) with ASP.NET Web API

4
votes

I'm using the new ASP.NET Web API in a project right now which will require user authentication and authorization to perform some actions: For example, updating a profile page.

On a previous version of this same project using ASP.NET MVC 3 without the API requirement, I had a lot of success using Azure ACS and role-based access control (based on this tutorial).

I would like to be able to use ACS again with the web API, but I don't understand how ACS works well enough to know if this is supported. Is it possible / are there any challenges that I'm likely to encounter trying to do this?

2
c#asp.net-mvcazureacs

2 Answers

4
votes

but I don't understand how ACS works well enough to know if this is supported.

It is supported. ASP.NET Web API allows us to build REST services. ACS supports any kinds of REST services. The usual claim validation process described on this article will work. We just need to change WCF to Web API.

Best Regards,

Ming Xu.

0
votes

From my experience, the link you pointed out will probably not help, as it is used for clients (WPF/Windows Phone/etc.). Using ACS on the service side, we will deal with claims, we can configure ACS to return any claims we like. A claim can be a username, but it can also be a role. For example, we can create a rule to map a particular user to a role, than ACS will return the role claim to us.

But if we want to integrate with ASP.NET roles, we need to parse the claim (even if it is a role claim), and assign the claim to Thread.CurrentPrincipal. If we configure ACS to return a SAML token, WIF does this for us. If ACS returns a SWT token, we need to do that ourself, or use a library someone else writes for us. One of those libraries is DPE.OAuth, which is written by DPE team. You can get it from http://msdn.microsoft.com/en-us/IdentityTrainingCourse_ACSAndWindowsPhone7. While that tutorial tells us how to work with ACS in Windows Phone, the service side OAuth library can be reused.

Best Regards,

Ming Xu.