locked
More claims from Identity Providers RRS feed

  • Question

  • I noticed that generating rules (claim) for current supported Identity Providers (yahoo, facebook, live id, and google) are quite standard, such as:

    - name, email, name identifier

    Is there a way to let the Identity Provider (let's say Facebook) to be able to bring more claims (date of birth, mobile phone, other info) to ACS, so that ACS can push back to our app again?

    So, the idea is, once a user login using his / her facebook account, their current info will be passed into our web page automatically.

    Is that achievable?

    Friday, May 27, 2011 2:00 PM

Answers

  • in the case of facebook you need to request access to "extended" properties - this is done when registering the facebook app with ACS.

    You users will then see a consent screen asking if they are ok with handing out more information on the first login.


    Dominick Baier | thinktecture | http://www.leastprivilege.com

    Friday, May 27, 2011 4:28 PM

All replies

  • No.  All of the IdP's will only hand out a few claims, and nothing else.  Facebook hands you a token, which you can use to make a secondary request for more information.  Dominick Baier has a good article on how to do it: http://www.leastprivilege.com/AccessControlServiceV2AndFacebookIntegration.aspx
    Developer Security MVP | http://www.steveonsecurity.com
    Friday, May 27, 2011 2:30 PM
  • in the case of facebook you need to request access to "extended" properties - this is done when registering the facebook app with ACS.

    You users will then see a consent screen asking if they are ok with handing out more information on the first login.


    Dominick Baier | thinktecture | http://www.leastprivilege.com

    Friday, May 27, 2011 4:28 PM
  • i try to find "extended" properties you mentioned but just cant find it.

    is it in facebook / ACS portal?

    Saturday, May 28, 2011 2:45 PM
  • when you register the facebook application in ACS - there is a form field which defaults to the value "email" - click the help link to see the possible values for this field.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Saturday, May 28, 2011 6:59 PM
  • http://msdn.microsoft.com/en-us/library/gg185967.aspx

    hm... very standard claims only Name Identifier, Name, Email, Access Token, Expiration, and Identity Provider.

    Is there away to get other info such as mobile phone, date of birth, etc that we've entered in facebook?

    Sunday, May 29, 2011 2:17 PM
  • application permissions:

    https://developers.facebook.com/docs/authentication/permissions/ (linked off the MSDN page from your post)


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Sunday, May 29, 2011 2:50 PM
  • The permissions that you request will allow the access token to be used to get additional information, but it won't cause ACS to actually fetch that as part of the token. For example, if you request the user_likes permission, the claims you get from ACS will not include the user's likes directly.  However, you will be able to use the access_token value that ACS returns as a claim to query https://graph.facebook.com/me/likes.  Because the access token has been requested with the configured permissions, this request will work.  In the Facebook case, the access_token can be used to query lots of user information without any additional permissions.  The other Internet providers don't support much in the way of additional information.
    Tuesday, May 31, 2011 10:35 PM