Trouble using ACS with "passive-active" scenario to hit ASP.NET MVC WebAPI-based REST service

0
votes

I'm new to ACS, WIF, and federated identity stuff in general, but I've been working through examples in the WIF SDK training kit (and the ACS samples, as well), but I'm having an issue talking to an ASP.NET MVC WebAPI-based REST service (hosted on Azure) where I set up ACS as the FP. If I use my browser to test out my REST service (http://jordan-helloacs.cloudapp.net), I get the traditional "passive authentication" experience and can log in via Live ID or Google (which I set up as the two IP's in ACS).

However, I'm trying to achieve a "passive-active" experience with a simple WPF application that retrieves the available IP's by using the

"https://[myACSnamespace].accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm=http://jordan-helloacs.cloudapp.net/&version=1.0",

endpoint on ACS to list the available IP's, and then hosts a WebBrowser control to handle the login to that IP, and extracts the ACS token that is returned from ACS, and then (using RestSharp) makes a GET call to my endpoint at http://jordan-helloacs.cloudapp.net. I've successfully extracted the token (I've tried both SWT and SAML2), but I cannot figure out what I need to do with the token once I've got it from the WebBrowser control. I've seen several different examples where the token is prepended with either "OAUTH" or "WRAP access_token=" and just passed in the "Authorization" header, but nothing I'm doing seems to be working. My RestSharp client just keeps getting 302'd to the ACS sign in page.

Any tips on what I might be doing wrong? How do I know how to specify the auth header format?

1
azurewifacs

1 Answers

0
votes

I am writing more info about how to pass SWT Token either in HTTP header or via query string or in form as below:

If you are passing Tokens in HTTP header are expected to use the “Authorization” header, with this header’s value containing the text: WRAP access_token="tokenstring" and does not need to be URL Encoded. 

string headerValue = string.Format("WRAP access_token=\"{0}\"", HttpUtility.UrlDecode(token)); 
var client = new WebClient();            
client.Headers.Add("Authorization", headerValue);

If you are passing Tokens in either "Query String" or in "Form" Contents then you should be using name/value pair of as wrap_access_token=tokenstring and must be URL Encoded to construct the HTTP Request:

var values = new NameValueCollection();
values.Add("wrap_access_token", token);
var client = new WebClient();
client.UploadValues("BartenderWebservice", "POST", values));

You can use either of above methods and then you can pass the stream to your client as below and once you send it, please use Fiddler or other utility to verify the header for it correctness. 

Stream stream = client.OpenRead(@"http://yourwcfservice.cloudapp.net/RESTfulWCFServiceEndPoint.svc/_users_");
StreamReader reader = new StreamReader(stream);
String response = reader.ReadToEnd();

As you mentioned that you receive 302 error (Forward to ACS URL) while connecting to your RestFulWCF endpoint. You can actually RDP to your Azure VM and look at application event log for more details about this error only if you have IIS Logging enbaled. I have see this error logged in event log and provide more info about why it happened. Could be some setting in your web.config is causing this problem.

Added Later

In the ASPNet MVC scenario at the end of getting a token, a cookie is created and then cookie is what is passed to ASP Net app indicating authentication. At the top level you would need simulate something similar to get it work.

Note: By no mean it is the exact answer however I had to use this space "as answer" to write formatted comment to express better.