Advanced OAuth2: Assertion Flow (how)

Note that the world of oath is heading for the world of ws-services, where in the four corner model that incoming token from the (NSA-governed) American IDP is translated in a (NSA-influenced) German RP-STS token.

IN our model we did almost the same. TO the JSON response we added the SAML token that controlled the minting of the access-grant and JWT (in the first place). Then, we simply swap that SAML file using an RP-STS. This works well with Microsoft online, where exactly that model is required in order for an oauth-based WPF rich client to get the tokens needed to access the office365 APIs (using the token re-issued by microsoftonline)

My last post described the mechanics and motivation for the OAuth2 assertion flow.

In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow scenario. For this specific example I will use Microsoft Account authentication on WinRT – but this could be substituted by any other authentication system (see my last post for more examples).

1 Microsoft Account authentication
The easiest way to do MSA authentication is to use the Live SDK.

For WinRT – you first need to register your application in the store. This will result in a client ID and a client secret. Next you need to associate your VS solution with that store app (right click the project in solution explorer –> Store –> Associate App with the Store).

The following code does the interaction with the MSA infrastructure:

A few things to note here:

  • If the…

View original post 681 more words



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in coding theory. Bookmark the permalink.