locked
ACS support of OAuth? RRS feed

  • Question

  • Which OAuth use cases are supported by ACS v2?

    Which are planned for future releases?

     

    Is Delegation the only use case currently supported?

     

    Thanks,

    Chris

    Wednesday, May 11, 2011 7:43 PM

Answers

All replies

  • Hello Chris,

    According to Release Notes, The ACS implementation of the OAuth 2.0 protocol has been updated to comply with the OAuth 2.0 Draft 13 specification. You can find two samples from Code Sample: OAuth 2.0 Certificate Authentication and Code Sample: OAuth 2.0 Delegation.

    The first sample illustrates how to authenticate to ACS using the OAuth 2.0 protocol by presenting a Security Assertion Markup Language (SAML) token that is signed by an X.509 certificate. The second sample demonstrates how OAuth 2.0 is delegated access for REST web services using an extension for Windows Identity Foundation (WIF).

    If you need more assistance, please let me know.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Friday, May 13, 2011 2:08 AM
  • The release notes indicate that ACS v2 supports the SAML2 bearer token grant request type and the Client Credentials grant request type.

    The release notes are silent on whether ACS support the other 3 access profiles (Authorization Code, Implicit Grant, and Resource Owner Password Credentials; see sections 4.1, 4,2, and 4.3 of the Draft 13 specification respectively).

    Based upon a little bit of quick testing, when I attempt any of these other three grant type requests, I get a return code of

    {"error":"invalid_request","error_description":"ACS90007: Request method not allowed. "}

    Based upon my reading of the OAuth 2.0 Delegation sample, ACS can be used by a custom Authorization Server to implement the 'Authorization Code' scenario, but does not directly support the Authorization Code scenario's authorization request protocol (ie, response_type=code).

    The "Implicit" and "Password" grant types don't seem to be supported at all.

    Do I misunderstand anything about the current level of support?

    Thanks,

    Chris

    Friday, May 13, 2011 4:26 PM
  • Hello Chris,

    Thanks for your response.

    I am trying to involve someone familiar with this topic to further look at this. There might be some time delay. Appreciate your patience.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Monday, May 16, 2011 6:17 AM
  • Grant types ACS v2 supports are SAML, SWT, authorization_code, client_credentials, password and refresh_token.


    In addition, the token types for SAML and SWT are also allowed as grant types.

    SWT http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0


    SAML 1.1 urn:oasis:names:tc:SAML:1.0:assertion
    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1


    SAML 2.0 urn:oasis:names:tc:SAML:2.0:assertion
    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0


    bill boyce
    • Proposed as answer by billb08 - MSFT Tuesday, June 7, 2011 1:34 PM
    • Marked as answer by crudolphi Tuesday, June 7, 2011 2:10 PM
    Wednesday, June 1, 2011 5:33 PM
  • Thanks Bill.

    From your reply, I presume the following is true (please correct me if I'm wrong):

    - Grant types SAML and SWT will issue access tokens if the incoming token is valid and from a trusted IdP;

    - The grant type: authorization_code uses the ACS delegation feature to validate incoming requests;

    - The grant type: client_credentials are validated against the ACS list of Service Credentials.

    - You mentioned 'password', but I thought I had read in the release notes that password was deprecated in favor of 'client_credentials'.

    Chris

    Tuesday, June 7, 2011 2:09 PM
  • You may want to check out the blog I wrote earlier explaining ACS's OAuth2 support.
    Thursday, September 22, 2011 4:06 AM