Windows Phone 7 and RESTful Services: Delegated Access Using Azure AppFabric Access Control Service (ACS) And OAuth

This post is a summary of steps I have taken in order to run the Windows Phone 7 Sample that Caleb Baker recently published on ACS Codeplex site. The sample demonstrates how to use Azure AppFabric Access Control Service to allow end users sign in to RESTful service with their Windows Live ID, Yahoo!, Facebook, Google, or corporate accounts managed in Active Directory.

This sample answers the following question:

How can I externalize authentication when accessing RESTful services from Windows Phone 7 applications?

Scenario:

Solution:

 

Summary of steps:

• Step 1 – Prepare development environment
• Step 2 – Create and configure ACS project, namespace, and Relying Party
• Step 3 – Create Windows Phone 7 Silverlight application (the sample code)
• Step 4 – Enhance Windows Phone 7 Silverlight application with OAuth capability
• Step 5 – Test your work

Step 1 – Prepare development environment

There are several prerequisites needed to be installed on the development environment. Here is the list:

• Visual Studio 2010 installed.
• IIS7 is installed and running.
• Download and extract the Windows Phone 7 Sample code.
• Download and install Windows Phone Developer Tools RTW.
• Download and extract DPE.OAuth project from the FabrikamShipping Demo, available as part of the Source Code.

Step 2 – Create and configure ACS project, namespace, and Relying Party

1. Login to https://portal.appfabriclabs.com/
2. If you have not created your project and a namespace, do so now.
3. On the Project page click on “Access Control” link next to your namespace in the bottom right corner.
4. On the “Access Control Settings” page click on “Manage Access Control” link at the bottom.
5. Sign in using any of the available accounts. I used Windows Live ID.
6. On the “Access Control Service” page click on “Relying Party Applications” link.
7. On the “Relying Party Applications” page click on “Add Relying Party Application”.
8. Fill the fields as follows:
   1. Name: ContosoContacts
   2. Realm: https://ContosoContacts/
   3. Return URL: https://localhost:9000/Default.aspx
   4. Token format: SWT
   5. Token lifetime (secs): leave default, 600
   6. Identity providers: leave default, I have Google and Windows Live ID
   7. Rule groups: leave default “Create New Rule Group” checked
9. Click “Generate” button for the token signing key field. Copy the key into a safe place for further reuse.
10. Click “Save” button.
11. Click on “Access Control Service” link in the breadcrumb at the top.
12. On the “Access Control Service” page click on the “Rule Groups” link.
13. On the “Rule Groups” page click on the “Default Rule Group for ContosoContacts” link.
14. On the “Edit Rule Group’ page click on “Generate Rules” link at the bottom.
15. On the “Generate Rules: Default Rule Group for ContosoContacts” page click on “Generate” button.
16. On the “Edit Rule Group” page click “Save” button.
17. Click on the “Access Control Service” link in the breadcrumb at the top.
18. On the “Access Control Service” page click on “Application Integration” at the bottom.
19. On the “Application Integration” page click on “Login Pages” link.
20. On the “Login Page Integration” page click on ContosoContacts relying party link.
21. On the “Login Page Integration: ContosoContacts” page copy the link at the bottom without the ending “&callback=”. It will be used in the application itself. Paste it to a safe place for further reuse.  Mine looks as follows:

• https://my-namespace1.accesscontrol.appfabriclabs.com:443/v2/metadata/IdentityProviders.js?protocol=wsfederation\&realm=http%3a%2f%2fcontosocontacts%2f\&reply\_to=http%3a%2f%2flocalhost%3a9000%2fDefault.aspx\&context=\&version=1.0

Step 3 – Create Windows Phone 7 Silverlight application (the sample code)

1. Make sure you completed all requirements in the Step 1 – Prepare your development environment.
2. Run Visual Studio 2010 as Administrator.
3. Open ContosoContactsApp.sln – this is the code you downloaded and extracted as part of the Windows Phone 7 Sample code.
4. Open SignIn.xaml.cs in ContosoContactsApp project.
5. Locate SignInControl.GetSecurityToken( new Uri(“...”)); and update with the URI from the previous step.
6. Open MainPage.xaml.cs in teh same project, ContosoContactsApp.
7. Locate client.DownloadStringAsync(new Uri("...”)); and update with https://localhost/contacts/Directory.
8. Add CustomerInformationService project to the solution. You will be prompted to create IIS Virtual Directory for it.

Step 4 – Enhance Windows Phone 7 Silverlight application with OAuth capability

1. Add DPE.OAuth project to the solution. The project comes as part of the Source Code for FabrikamShipping Demo.
2. Add a reference to the DPE.OAuth project from the CustomerInformationService project.
3. Open web.config of the CustomerInformationService project.
4. Locate issuerIdentifier=”https://[Service Namespace].accesscontrol.appfabriclabs.com/” entry.
5. Replace [Service Namespace] with your namespace. In my case it is my-namespace1. Look at (21) for reference in Step 2 – Create and configure ACS project, namespace, and Relying Party.
6. Locate serviceKey="[Insert Symmetric Token Signing Key]" entry and update with your Key. Look at (9) for reference in Step 2 – Create and configure ACS project, namespace, and Relying Party. If you missed that step. Navigate to the ACS portal at https://portal.appfabriclabs.com/, click on your project, click on the “Access Control” link next to your namespace, click on “Manage Access Control” link, click on “Certificates and Keys”, click on ”Default Signing Key for ContosoContacts”, copy the value in the Key filed on the “Edit Token Signing Certificate or Key” page.

Step 5 – Test your work 

1. Switch to Visual Studio.
2. Make sure ContosoContactsApp solution selected.
3. Press F5 button.
4. You should see the Sign In screen:
   
5. Click on Sign In link. You should be presented with the options for Signing In: 
   
6. I clicked on Google which resulted in presenting me with Google’s sign page: 
   
7. After I provided my credentials, Google asked me for my consent that a service is asking for information on my behalf:
   
8. Click on “Allow” button and receive desired information from the service:
   

Please provide feedback how to improve in the comments section below.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide

Comments

• Anonymous
  November 12, 2010
  Very nice.I think authentication is a key scenario, especially oAuth for any phone/cloud/rest scenarios.