Facebook-style API access scenario with Azure ACS and OAuth 2.0: how to implement app authorization?

1
votes

I am building a social website that will expose REST API (WCF WebAPI) to the world so any developer would be able to create a client application for the website, integrate it with other services, etc.

I would like to implement Facebook/Twitter-style access control mechanism for the API. So that developers will register their apps on the developer section on the site, create a key and use that app key in OAuth workflow to get access to the API.

Since I use Azure in this project, I consider leveraging Azure ACS to facilitate OAuth processes. However, I am unable to find any code sample or manual for app authorization with ACS.

Can someone share such example or at least give me a direction for my own research? If I can achieve Facebook/Twitter behavior with another OAuth library (e.g. DotNetOpenAuth), that would be cool, too.

Thank you in advance.

1
wcfrestoauthazureacs

1 Answers

1
votes

ACS is a good choice for this sort of thing. Your scenario is pretty much OAuth Delegation, which ACS supports.

You should look into ACS with OAuth 2 Delegation sample in:

https://connect.microsoft.com/site1168/Downloads (It is called Wif Oauth CTP version)

Note that in this sample custom authentication is used for autheticating the user. Since ACS provides Single Sign On with Idps, you can instead use ACS here (e.g with Facebook).

If you go this path, you can find more information on how to use a custom home realm discovery page in the following sample:

http://msdn.microsoft.com/en-us/library/hh127794.aspx

Finally, you will neeed to have a web page where your client apps will manage their settings. For this you will be required to use ACS management service. You can find detailed information on using ACS management service in:

http://msdn.microsoft.com/en-us/library/gg185970.aspx