Protecting and consuming REST based resources with ACS, WIF, and the OAuth 2.0 protocol


ACS (Azure Access Control Service) recently added support for the OAuth 2.0 protocol. If you haven’t heard of it, OAuth is an open protocol that is being developed by members of the identity community to solve the problem of allowing 3rd party applications to access their data without providing their passwords. In order to show how this can be done with WIF and ACS, we have posted a sample on Microsoft Connect that shows an end-to-end scenario.

The scenario in the sample is meant to be as simple as possible to show the power of the OAuth protocol to enable web sites to access resource on behalf of a user without the user providing his or her credentials to that site. In our scenario, Contoso has a web service that exposes customer information that needs to be protected. Fabrikam has a web site and wants users to be able to view their Contoso data directly on it. The user doesn’t have to log in to the Fabrikam site, but gets redirected to a Contoso specific site in order to login and give consent to access data on their behalf.

The Contoso web service requires OAuth access tokens from ACS to be attached to incoming requests. The necessary protocol flow for the Fabrikam web site (in OAuth terms – the web server client), including redirecting the user to login and give consent, requesting access tokens from ACS, and attaching the token to outgoing requests to the service is taken care of under the covers. The sample contains a walkthrough that describes the components in more detail.

Try it out here, and tell us what you think!

Comments (11)

  1. Mats Cosaas says:

    All we have today in WIF is based on SOAP, all right?! As REST is different kind of service, that eliminates the overhead of the SOAP, this API that you show here is to protect REST services using WIF, but with OAuth protocol?!

  2. Sam says:

    This seems to be a great sample. I tried it, but nothing is happening when I click on "Populate all data" button.

    Any suggestions?

  3. Alik Levin says:


    Try using fiddler or other http monitor to see the errors returned attached as query strings. Or run in debug mode to track down teh exception you are getting. You probably configured something wrong. The error message should tell you what's wrong and give you some hints what's off.


  4. Sam says:

    On running the “ConfigureAcsConsoleApplication” project, I am getting following error:

    "The closed type Common.ACS.Management.ServiceIdentity does not have a corresponding SystemReserved settable property"  on

    ManagementServiceHelper.cs – Line 273:

    ServiceIdentity serviceIdentity = svc.ServiceIdentities.Where(si => si.Name == name).FirstOrDefault();

  5. Jack says:

    I have got the authorization code using the following method

    "AuthorizationServerHelper.GetAuthorizationCode(message.Parameters[OAuthConstants.ClientId], SamplesConfiguration.RelyingPartyApplicationName, username, SamplesConfiguration.IdentityProvider);"

    Now i need the access token and refresh token to send the further requests. Is there any method which will return the access token and refresh token on the basis of the authorization code.

  6. Sam says:

    Jack, AuthorizationServerHelper.GetCodeResponseUri()  can be of some help to you.

  7. Sam says:

    ON Consent.aspx.cs, in Submit_Click() , Response.Redirect(redirectUri) is giving me BAD Request 400 error.

    Any idea what might be causing this.

  8. The sample on Connect has now been updated for the latest labs version of ACS 2.0.

    Sam, feel free to provide feedback and ask questions on the Connect site (…/Feedback). Include details to reproduce the issue, including whether you have changed the token expiry time.

  9. HowardH says:

    Did Sam every figure out his 3-09-2011 1:13 AM issue?  I have encountered precisely that same issue in the Feb 2011 Azure Labs (ACSLabsV2Federation, Step 5).  I note that both the lab and the OAuth sample share a type named ManagementService which creates a wrapper onto the ACS.Management.ManagementService.  Both Sam and I were thus calling the ACS ManagementService REST interface, I think.

    I must be doing the same thing wrong as Sam.

    Any and all helps and tips greatly appreciated.

  10. PASC says:

    Sam, did you ever found a solution for the Bad Request at the consent -> submit action?

    I'm getting the same error…

  11. Mark says:

    Where did the service go on The certificate has expired and the Service Bus, Access Control & Caching” link is disabled.

Skip to main content