Using Access Control Service 2.0 for authorization in your applications

When developing your web application or service, there is always the question of how to authorize users. Once again ask them to enter their data and e-mail and remember the next password?

It would be great to be able to give users who already have accounts in popular social networks or network services to log in to our resource, without having to re-enter all the data.


In this topic, I want to tell with a simple example how to use the Access Control Services service, available within the Windows Azure platform, to organize authorization for accounts in other network services.
')
So, let's begin.

First we need to configure our Access Control Services to work with the test application.

We go to the management portal of our subscription to Windows Azure, go to the section Service Bus, Access Control & Caching:



And create a new namespace for the Access Control service:



In our case, I created the habratest namespace. Let's wait for the end of the creation of the namespace and proceed to configure it for use by our application.


After clicking on the icon with the signature Access Control Service, which is indicated by the arrow in the previous figure, we will go to the portal to configure our newly created namespace.

Configure the namespace for our future application. To do this, select the menu item Relying party applications and in the central part click on Add.



Fill in the displayed form:


Name: HabraTest
Mode: leave the setting Enter settings manually - we will configure our application in Visual Studio
Realm:

  http: // localhost: 7778 / 

- this is the URL where our application will be published.
Return URL:

  http: // localhost: 7778 / 

- in our case matches the main URL

All other settings can be left as default. By default, only one provider is connected: Windows Live ID, but in the settings you can add Google, Yahoo !, Facebook and WS-Federation.

Having finished the settings, click the Save button at the bottom of the form.

To add additional providers in the left column, select the Identity providers and then select Add in the central part. The add providers interface will be displayed.



I will add Google and Yahoo!

When adding providers, you can specify which previously configured applications to add them to.



I will add both providers to my HabraTest test application.

Now you need to configure the rules. To do this, go to the section Rule groups:



Click on the Default Rule Group for HabraTest and on the next page generate the rules:




Save the generated rules.



Now we’ll go to the Application integration section and copy it to the Endpoint reference notebook on the WS-Federation Metadata.



This completes the configuration of the Access Control service for the test application.

Let's start Visual Studio and create a project in it based on the ASP.NET MVC 3 template. When creating, select the Internet Application and View Engine and leave Razor.

I called my application HabraTest.

We configure our application so that it works on the port specified in the Access Control settings of the service. To do this, in the project settings, in the Web tab, leave the use of the Use Visual Studio Development Server and set the Specific Port setting to 7778:



Remember to save your changes.

Now we connect our Access Control service to our application. To do this, add to the STS Reference project (right-click on the solution in Solution Explorer and select Add STS Reference ...) from the menu.

In the dialog box that opens, in the Application URI field, you must enter the URI of our application.

  http: // localhost: 7778 / 

and click Next.

A warning will appear that we are using an insecure connection. Since this is a test application, we ignore it.

In the next step of the wizard, select Use an existing STS and specify the Access Control Service saved after the settings, Endpoint Reference.



And then click Next until the end of the wizard, leaving all the default settings (we do this, because the default settings are suitable for the higher test application, in the case of a real application, you must select the appropriate settings at each step of the wizard).

In order for our application to correctly process the data received from the authorization service, we need to add the following settings to the configuration file:

  <httpRuntime requestValidationMode = "2.0" /> 

Now you can run our application. The choice of authentication provider is displayed:



And after authentication by the selected provider, we will get access to the site:


So, using only the settings, we were able to add authentication to our site from several providers.

This is just the beginning of work, as, of course, additional development is necessary in order to integrate Access Control services more closely with our services.

Using Access Control is not limited to web services only. How it can be used for authentication in applications on Windows Phone 7 can be viewed in the latest release of Windows Azure Toolkit for Windows Phone 7 , a brief overview of one of the first versions of which can be read in Habré.