The New ACS is Live: if you do HTTP, you can play the Game

Today the .NET Services team released the first CTP that reflects the changes announced back in September: you can read about it in their team blog and in Justin’s blog and experiment with the service here.

You know, it’s kind of a big deal! The power of the claims-based approach is now within reach for REST developers and a surprisingly wide array of platform and devices: all it takes for taking advantage of the service is being able to use http and perform super-simple crypto (did I just say an oxymoron or what? Come on, you know what i mean :-)). Substantially, many of the diagram you have seen me drawing in the last 4 years remain pretty much unchanged: the difference is mainly in the kind of tokens exchanged (a minimalist bearer that plays fair with the space limitations in HTTPland) and in the protocol used.

The protocol ACS uses is WRAP, or Web Resource Authorization Protocol; in fact I should probably call it OAUTH WRAP, given what is mentioned on the WRAP discussion group home page… which is now moved to https://groups.google.com/group/oauth-wrap-wg. OAUTH WRAP has a companion token, the Simple Web Token or SWT, whose spec can be found here. Take the time to leaf through them: you’ll be surprised by how simple & straightforward they are.

I am itching to pick the pen and start scribbling on my tablet some schema for you, but I’ll resist the temptation: we are working on some content for helping you to explore the new possibilities that the service offers, and it will be available to you very soon. In the meanwhile, you can play with the samples in the SDK: and of course, don’t forget to add Justin’s session in your PDC09 agenda!