Requesting token from ACS endpoint in exchange of identity Provider token

0
votes

I followed the official tutorial(http://msdn.microsoft.com/en-us/library/hh674475) for requesting the ACS token in exchange of Identity Provider(Facebook) Token via SWT Token request.

I tried every possible thing and I'm unable to get rid of this error

ErrorCode:400:SubCode:T1019:Detail: Inavlid SWT token. The wrap_assertion value is not a SWT assertion

Note:

  1. I have already verified Issuer= [Realm under Edit Identity provider Page]
  2. Signing key is the same symmetric key as shown under Token signing key
  3. I am also wrapping facebook accesstoken as claim in my SWT token to ACS endpoint in order to get ACS token in return.

Correct me if I am doing something wrong, yeah i googled a lot about this but found nothing to resolve!

P.S: I have also tried Password Token request with my Service Identity and it just works fine.

2
authenticationazureclaims-based-identityacs
would you provide what exactly you've tried - i.e. concrete code, concrete request and response (full dump omitting sensitive data) for both - how you obtained the FB Token and how you use it to request ACS token. Also the exact ACS configuration (IdP + RP + Rule Group).astaykov
I have copied my accessToken from facebook graph api explorer and appended it to the POST request on "WRAPv0.9" along with Issuer and HMACSHA256. Also my ACS is configured to convert accessToken claim as it is, IdP already set to Facebook under RelyingParty(localhost) code is exactly the same as in the official tutorial just added builder.Append(HttpUtility.UrlEncode("facebook.com/claims/AccessToken=")); builder.Append(HttpUtility.UrlEncode(accessToken));gitesh.tyagi
This scenario doesn't make much sense to me. Normally, ACS's Facebook support involves user login, but it's unclear to me how it applies to this ServiceIdentity case. What do you want ACS to do with the access token?Oren Melzer
@OrenMelzer Yes you are right. Service Identity case is not related to my questioned scenario, I have mentioned that to make it clear that ACS is configured and one method of requesting token from ACS endpoint is working. So that narrow downs the issue in generating SWT Token at client end.gitesh.tyagi

2 Answers

0
votes

Your problem is that you seem to be that you're dealing with Facebook directly and then giving ACS the access token. That's not the ACS model for Facebook. The basic model is that ACS deals with Facebook first, not your app. The way this works is:

  1. The end user requests an access token from Facebook. This happens either directly though ACS (for example, by making a WS-Federation sign-in request) or to a URL specified by ACS (through IdentityProviders.js).
  2. The user logs in at Facebook.
  3. The auth code is sent to ACS.
  4. ACS exchanges the auth code for an access token and retrieves some user data. This is run through rules, packaged into a token, and sent to your RP. One of the claims in this token is the access token, which your RP can then use to make further Facebook calls.

ACS doesn't support a model where you get the access token yourself, which seems to be what you're trying to do.

1
votes

Two things will fail here.

First is that I doubt Facebook gives you a valid SWT Token. They give just a singed string which they call "token". And this thing is not a valid SWT Token that can be used as SWT Token in other STS-es (such as ACS) (I might be wrong here, as I am not an expert in FB, but since these errors, it is very likely that I am correct). So, if the token from FB is not valid SWT Token, your story ends here.

Next thing is - you are generating SWT token on your end. Meaning that now you are signing the token. But you say you need to transform a token from Facebook. Well, there is no way for you to sign a token with Facebook's signing key! You are singing the token with your ACS's key, which makes it invalid, because you present it as Facebook's token.

In short - you cannot use the Facebook Graph API token in the way you are trying to. Please describe the wider problem you are trying to solve, so we can provide adequate help.