We have moved from using dotnetopenauth framework for oauth2 providers (that have to date allowed us to emulate Ping Federate AS, using Microsoft ACS OAUTH endpoint and management services)). Our plugin is still compatible with the dotnetopenauth ASP.NET pattern, but we now use objects from the “dallas” sample code to talk to the token issuing endpoint of ACS.
The reason is simple – we needed our own token issuing endpoints, delegating to the token issuing point of ACS remember, to fully handle expiry dates of refresh tokens – or access tokens when no refresh token is signaled.
Having done that, two benefits accrue: (i) the ping federate demo client correctly shows expiry fields, and (ii) the dallas API sample works to get authorization headers. The latter is the demo of a thick XAML client firing up a web-browser window so as to complete websso and interact with (our) OAUTH2 AS and token issuing endpoints, when then accessing a data API in the Azure data marketplace (showing zillow mortgage data, as it happens)
using a better client to talk to ACS token issuing endpoint
The ping federate page showing the authorization response now handles delivering the (renewal) expiry issued by ACS:
validation by our own endpoint then shows the remaining time to expiry of the access token which can be longer than the renewal token expiry time (when the clock skew between ACS and the token issuing computer works against us!)