We are now taking 3 sample apps from Micosoft and using them to tell our local OAUTH AS story.
That is, FIRST, we have managed to repurpose the XAML client that previously showcased popping up a web browser into order to invoke websso and thus get a hold of the redirect URI issued by the ACS namespace serving the windows data marketplace; upon which event the code show a background task converting the code to an first access token (using the token issuing endpoint of ACS).
Second, we altered the XAML code’s settings so that client and its web browser login process now points away from the marketplace endpoints and now points at our own OAUTH AS endpoints. (Recall, that our own AS wraps an ACS namespace whose management service and token issuing endpoint do most of the real work).
Third, we added the todoList webAPI controller to our dotNet4.0 windows forms project – necessarily dotNet 4.0 since we make heavy use of the WIF extension libraries. The point is that this is the API just happens to that which that a certain demo Windows Phone app wants to talk to, having talked to an OAUTH AS. While the original sample wanted to showcase the app handling the JWT from the OAUTH STS using the JWT Securitytoken handler (available for dotNet 4.5 only) , in our case we will be content to simply manually parse the JWT – without verifying its RSA signatures etc.
So there seem two steps:
1. finish up the XAML client so it uses the todoApp API (Rather than a much more complex Zillow API). We want to see it pass across the JSON token that our own OAUTH AS/STS has minted, and for the App to handle the token. It should also use the userid from the token to help select a subset of the todo Items.
2. replace the role of the XAML client with the windows phone app, doing essentially the same thing. This project showcases the windows phone app using an embedded browser.
Now we have seen some design points occur already. First, the browser pop in the XAML case shows a kind of address bar (so there is webby feedback about trust). We need to see how the model is continued in the phone app case. Second, the embedded app may not send a useragent header (as in the XAML case) triggering bugs…in code that failed to assume that it could be a null string.