Note that the world of oath is heading for the world of ws-services, where in the four corner model that incoming token from the (NSA-governed) American IDP is translated in a (NSA-influenced) German RP-STS token.
IN our model we did almost the same. TO the JSON response we added the SAML token that controlled the minting of the access-grant and JWT (in the first place). Then, we simply swap that SAML file using an RP-STS. This works well with Microsoft online, where exactly that model is required in order for an oauth-based WPF rich client to get the tokens needed to access the office365 APIs (using the token re-issued by microsoftonline)
My last post described the mechanics and motivation for the OAuth2 assertion flow.
In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow scenario. For this specific example I will use Microsoft Account authentication on WinRT – but this could be substituted by any other authentication system (see my last post for more examples).
1 Microsoft Account authentication
The easiest way to do MSA authentication is to use the Live SDK.
For WinRT – you first need to register your application in the store. This will result in a client ID and a client secret. Next you need to associate your VS solution with that store app (right click the project in solution explorer –> Store –> Associate App with the Store).
The following code does the interaction with the MSA infrastructure:
A few things to note here:
- If the…
View original post 681 more words