Advanced OAuth2: Assertion Flow (how)

Note that the world of oath is heading for the world of ws-services, where in the four corner model that incoming token from the (NSA-governed) American IDP is translated in a (NSA-influenced) German RP-STS token.

IN our model we did almost the same. TO the JSON response we added the SAML token that controlled the minting of the access-grant and JWT (in the first place). Then, we simply swap that SAML file using an RP-STS. This works well with Microsoft online, where exactly that model is required in order for an oauth-based WPF rich client to get the tokens needed to access the office365 APIs (using the token re-issued by microsoftonline)

My last post described the mechanics and motivation for the OAuth2 assertion flow.

In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow scenario. For this specific example I will use Microsoft Account authentication on WinRT – but this could be substituted by any other authentication system (see my last post for more examples).

1 Microsoft Account authentication
The easiest way to do MSA authentication is to use the Live SDK.

For WinRT – you first need to register your application in the store. This will result in a client ID and a client secret. Next you need to associate your VS solution with that store app (right click the project in solution explorer –> Store –> Associate App with the Store).

The following code does the interaction with the MSA infrastructure:

A few things to note here:

  • If the…

View original post 681 more words

About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in coding theory. Bookmark the permalink.