Windows Azure Access Control Service (ACS) part 1: Get token in WP7 client

By: Nicklas Møller Jepsen

While working on a project for WP7 where a backend is required I needed to implement some sort of security on the server. As the server is being hosted in Windows Azure I looked into ACS. At first it did look a bid “over configured” meaning there is a lot of documentation on how to use it and what you can actually do with it. Facebook, Google, Windows Live login etc. For my purpose I just needed a simple way off securing my REST service and after some reading I thought I would give ACS a try.

Steps involved:
  • Create a REST ACS enabled WCF service (will post about this subject later)
  • Configure ACS (Windows Azure Portal)
  • Request token on client (this post ;))
This first post about ACS is about the last step in the above list. The reason for not starting from the top is that I couldn’t seem to find any decent guides on how to implement a simple ACS client/consumer on Windows Phone. Therefore the bottom up concept :)

To actually configure ACS to Issue a SWT Token to be using I followed this well explained MSDN article - scroll to the 2. part ‘Step 2 – Configure ACS to Issue a SWT Token’

Btw. in the examples below I’m using RestSharp a very simple to use REST library for both WP7/SL, WinForms, etc.

And now back to the topic – WP7 ACS token consumer:

The basic concept of authorizing against a WCF ACS secured service is that you send an “Authorization” header in the request:

request.AddHeader("Authorization", token.TokenString);

But of course you need to now the token to put in the header.

To make sure we have the token, the following is executed before the actual REST call:

RestClient client = new RestClient(
string.Format("https://{0}.{1}", serviceNamespace, accesscontrol.windows.net));
RestRequest treq = new RestRequest("/WRAPv0.9");
treq.Method = Method.POST;
treq.AddParameter("wrap_name", uid);
treq.AddParameter("wrap_password", pwd);
treq.AddParameter("wrap_scope", realm);
client.ExecuteAsync(treq, (re) =>
// Get expiration
string expiry = result
.Single(value => value.StartsWith("wrap_access_token_expires_in", StringComparison.OrdinalIgnoreCase)).

// Get Access Token
result = HttpUtility.UrlDecode(
.Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))

token = new AcsToken()
ExpirationDate = DateTime.Now.AddSeconds(Int32.Parse(expiry)),
TokenString = string.Format("WRAP access_token="{0}"", result),

Now the token is stored in a local variable ‘token’ where it is possible to check if it is expired and to get the token string which the can be used to put in the header of coming requests against the ACS secured WCF REST service.

And just for as a ending note; here’s the Token type:

class AcsToken
public string TokenString { get; set; }
public DateTime ExpirationDate { get; set; }

public bool IsExpired
return DateTime.Now > ExpirationDate;

That’s it for this part of the ACS post series. More will follow :)