Windows 8 Metro applications would inevitably talk to services hosted either in cloud or in an on-premise hosting environment providing access to resources for consumers using the Metro client application. Access to services from Windows 8 Metro client applications can be made secure using Windows Azure Access Control Services (Azure ACS 2.0). In Chapter 4, Cloud-based Identity with Azure Access Control Service, we have explored the steps to perform identity delegation using Azure ACS 2.0. In this recipe, we will take a look at the steps to create a Windows 8 Metro application. We will then configure it to receive a security token issued by Azure ACS and use it to access resources from a Service Provider.
The prerequisites to walk through the "how-to steps" are as follows:
In addition to the preceding prerequisites, you would also need to be familiar with Windows 8 Metro application development using XAML (plus C#) and JavaScript. We will also use Task Based Asynchronous Programming (TAP) concepts in this recipe. You can learn more about this pattern in the document available at the following URL:
For creating and configuring a Windows 8 Metro application, follow these steps:
MetroAcsApplication:
MetroAcsApplication
project open the MainPage.xaml
file and create a button (captioned Login)
and a textbox (with name txtStatus)
to display a "Success / Failure" message post the authentication process. MainPage.xaml.cs
file and add a private
method GetAuthenticationResultAsync:
private async Task GetAuthenticationResultAsync(string ipURL) { try { var result = await WebAuthenticationBroker.AuthenticateAsync( WebAuthenticationOptions.Default, new Uri(ipURL)); txtStatus.Text = (result.ResponseStatus == 0) ? "Success" : "Failure"; } catch (Exception e) { txtStatus.Text = e.Message; } }
Note that GetAuthenticationResultAsync
is not an ordinary private
method. It uses the TAP pattern in .NET Framework 4.5 to asynchronously carry out the authentication process.
GetAuthenticationResultAsyc
task from the button-click event handler of the Login button:private async void Button_Click(object sender, RoutedEventArgs e) { Task getLoginUrl = GetIdentityProviderLoginUrlAsync("Yahoo"); txtStatus.Text = "Loading Provider..."; await getLoginUrl; Task authenticate = GetAuthenticationResultAsync(loginUrl); txtStatus.Text = "Authenticating.."; await authenticate; }
The most important item to note in the steps is the usage of WebAuthenticationBroker (Windows.Security.Authentication.Web)
. It is a WinRT ( http://en.wikipedia.org/wiki/Windows_Runtime) object that starts an asynchronous authentication operation with a call to the method AuthenticateAsync
.
The returned result contains the following three properties:
Rich client applications such as Windows 8 Metro Applications do not have the ability to federate in passive mode such as in a web browser. Web Authentication Broker mediates to allow rich client applications delegate identity to providers such as Azure ACS and then use the retrieved token to make a request to the Service Provider specifying the token in the Request Header. To retrieve the ACS token, you must specify a valid call-back URI to the AuthenticateAsync
method. The call-back URI will receive the ACS token (SWT or SAML). The following diagram illustrates this scenario:
Information regarding the identity providers (name, logo, login URL, logout URL, and so on) registered in ACS is published in JSON format. The login URL for an identity provider can be retrieved by parsing the JSON string fetched by making a GET request to https://{0}.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm={1}version=1.0
.
WinRT exposes the PasswordVault
class (Windows.Security.Credentials) that can be used to store a PasswordCredential
object. This is particularly useful if you need to authenticate more than once and you don't want to be redirected every time to the identity provider. Use the ResponseData
property to retrieve the credential information and store it in PasswordVault
.
Vittorio Bertocci did a great talk on Identity and Access Management in the Build Conference. You can learn more about it at http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-858T. The demos used in the talk are packaged as samples with the Windows Azure Toolkit for Windows 8 which can be installed from http://watwindows8.codeplex.com/. You will need to run the setup script after extracting the contents of the Toolkit to make sure that all the dependencies are installed and the Visual Studio templates are appropriately configured.