On top of the ASP.NET MVC web app for Am I Interesting (AII), I’m also adding a Windows Phone 7 client application. This application needs to first authenticate against Facebook and retrieve a Facebook access token before passing that token when authenticating against the API for AII.
This is a two-part blog post:
Part 1 – Configuring ACS for Facebook Authentication
Part 2 – Implementing ACS in your WP7 app (next post)
For this authentication, I will use Azure AppFabric Access Control Service (ACS) from the WP7 app. ACS offers a convenient way to authenticate against identity providers such as Windows Live, Facebook, Google and Yahoo, and it’s priced at only $1.99 per 100,000 transactions. If you, like me, have an MSDN subscription, you also have 100,000-500,000 transactions per month included free of charge.
Check the Access Control check box and enter a unique namespace, “amiinteresting” in my case.
Enter a display name, your Facebook Application Id and Facebook Application Secret (from the Facebook developer portal), and a comma-separated list of Application permissions that you need. Offline_access is needed if you don’t want your WP7 users to have to enter their login credentials every time they start the app:
I have added two Identity providers for the two different Facebook applications I use for Development (local debugging) and Production with different Application Ids and Application Secrets.
For a thick client application, that will not use browser redirection, it’s enough to enter a display Name, a URI Realm that the token should be issued for (a bit tricky subject, described here), which in my case is the application URI https://www.amiinteresting.net, and a Token format. I have chosen a Simple Web Token (SWT) which is suitable for tokens that are be passed in the HTTP header or request, which is normally the case when communicating with REST (or REST-alike) API:s:
The last thing you need to do is configure the Rule group that was automatically created when you added the relying party. A rule group is used to define how claims from the identity provider (Facebook) are passed to the relying party (WP7 app). Navigate to Rule groups and click on the automatically added rule group to configure:
I then modified the generated rules by removing the emailaddress claim (I don’t need and therefore didn’t configure the Identity provider to request the email permission from Facebook) and changing the description of the nameidentifier claim to “Facebook User Id” (which it is):
Done! ACS is now configured for Facebook authentication and ready to be used by WP7!
Stay tuned for the next post that covers how to connect the WP7 app to ACS and ultimately get the Facebook access token, which is required to authenticate against the API for Am I Interesting….