1

I have a web api which I want to secure using ACS, but I want to use ACS for authorization only. The flow I want is:

  1. The user is redirected by the app to authenticate with Facebook and the app receives a Facebook token.
  2. The app sends a request to ACS with the Facebook token and receives a new token, which he can use to access the API.
  3. The user calls the API and passes the token received from ACS as authentication/authorization for the API.

Is this flow possible? How do I set this up on the ACS side and the API side? I already have the Facebook authentication working in the app. I would like to leverage the token I am already getting in order to call the API.

Elad Lachmi
  • 10,406
  • 13
  • 71
  • 133
  • You mention that you already have Facebook authentication working in "the app". Is that a web application? Is it Asp.Net MVC with WIF? Is ACS issuing SAML tokens for that RP or JWT? – Nathan Feb 23 '14 at 01:17
  • @Nathan - No, It's a Windows Phone 8 app. I ended up not using ACS or Azure AD at all. I just get the FB token through the app and then validate it via FB on the Web API side. This is what I could come up with, and it works for me. I hope that as these products mature, Microsoft will include support for more complex scenarios. – Elad Lachmi Feb 23 '14 at 05:11

0 Answers0