Back to Windows Azure Active Directory Solutions For Developers
In this scenario you are developing distributed application that includes front end ASP.NET web app and the backend REST WCF service. You are interested to use public identity providers, such as Live ID, Google, Facebook, Yahoo!, and OpenID 2.0, to authenticate users. You are also interested to flow the original identity of the end users down to the backend REST WCF service for authentication and authorization purposes at the backend.
Windows Identity Foundation (WIF) and Windows Azure Access Control Service (ACS) is used to solve this scenario. The approach is to have one relying party configured in ACS that issues SWT token. This SWT token is used with both front end ASP.NET web app and downstream REST WCF service. The signing keys shared with all three - ACS, ASP.NET RP, REST WCF RP. Another challenge is that WIF does not come with built-in SWT token handler. WIF offers extensibility features that allows to built custom token handlers, in this case Custom SWT Token Handler is used and plugged into the WIF pipeline. The SWT token issued by ACS needs to be reused when calling to REST WCF service from ASP.NET web app. To allow so, the ASP.NET web app configured to save the bootstrap token that includes the raw representation of the original SWT token issued by ACS. The raw token is then attached to the HTTP request when calling to the downstream REST WCF service. This is how original identity is flown from the end user through the tiers, ASP.NET web app to the REST WCF service.