Sladescross's Blog

Blogging about Sharepoint related stuff

OAuth July 16, 2012

Filed under: Claims Authentication,MySite,OAuth,Social — sladescross @ 10:49 pm

OAuth introduction.

So why do we care about OAuth?  Well, contrary to the PUID you get when federating directly with Windows Live, OAuth support in Windows Live allows you to get a LOT more information about the user, including – wait for it – their email address.  So the plan of attack here is basically this:

  1. Write a custom Identity Provider using the Windows Identity Foundation (WIF).
  2. When a person is redirected to our STS, if they haven’t authenticated yet we redirect them again to Windows Live.  You have to create “an application” with Windows Live in order to do this, but I’ll explain more about that later.
  3. Once they are authenticated they get redirected back to the custom STS.  When they come back, the query string includes a login token; that login token can be exchanged for an access token.
  4. The STS then makes another request to Windows Live with the login code and asks for an access token.
  5. When it gets the access token back, it makes a final request to Windows Live with the access token and asks for some basic information about the user (I’ll explain what we get back later).
  6. Once we have the user information back from Windows Live, we use our custom STS to create a set of SAML claims for the user and populate it with the user info.  Then we redirect back to whatever application asked us to authenticate to begin with to let it do what it wants with the SAML tokens.  In this particular case I tested my STS with both a standard ASP.NET application as well as a SharePoint 2010 web app.

This sample demonstrates how to add social data from other social networking sites to your MySite, how to create and use new user profile properties, and how to implement new timer jobs that are managed on your SharePoint Central Administration site. The first part of the solution requires the user to grant the SharePoint application permission to act on behalf of the user. This “opt in” process is handled by the OAuth Authentication standard that is used by LinkedIn and many other social computing sites. The signup page handles the acquisition and storage of the token that is necessary to allow the application to update the LinkedIn data. The second part of the solution is implemented as a timer job that queries for user profile changes. The timer job requires a management page, to enable and disable the timer job.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 63 other followers