Sometime in the last few years Facebook has gotten stupidly popular. Given the massive user base, it actually makes a little bit of sense to take advantage of the fact that you can use them as an identity provider. Everyone has a Facebook account (except… me), and you can get a fair bit of information out of it on the user.
The problem though is that it uses OpenAuth, and I, of course, don't like OpenAuth. This makes it very unlikely for me to spend any amount time working with the protocol, and as such wouldn't jump at the chance to add it into an application. Luckily ACS supports Facebook natively – AND it's easy to setup.
First things first, we need to log into our ACS management portal, and select Identity Providers under Trust Relationships. Then we need to add a new Identity Provider:
Then we need to select Facebook as the type we want to add:
Once we start filling out the details for the federation we need to get some things from Facebook directly.
There are three fields we need to worry about, Application ID, Application secret, and Application permissions. We can get the first two from the settings page of our Facebook application, which you can get to at www.facebook.com/developers/.
You should create a separate application for each instance you create, and I'll explain why in a minute.
You then need the Application permissions. This is a list of claims to request access to from Facebook. The full list can be found here: http://developers.facebook.com/docs/authentication/permissions/, but for now email will suffice.
Once you have saved this identity provider you need to create a rule for each relying party. This will define how the claims are transformed before being sent to your relying party. If you already have rules set up you can modify one:
I'm pretty content with just using the default rules, which is to just pass everything, but you need to generate them first:
Once the rules have been generated you can save the rule.
Now you can test the federation.
It should fail.
If you watched everything in Fiddler you will see a chunk of JSON returned that looks something like:
{
"error": {
"type": "OAuthException",
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration."
}
}
This is about my warning earlier about creating a separate application for each ACS namespace. Basically, Facebook doesn't like the request for authentication because it has no idea who the requestor is. Therefore I need to tell Facebook about my application.
To do this you need to get into the Web site settings for your application Facebook:
You will need to set the Site URL property to the ACS namespace:
Given the requirement for the FQDN, you need to create an application for each namespace you decide to create.
At this point federation with Facebook should now work. If you are using the default login page you should see something like this:
And if you sign-in you should get a token from Facebook which ACS will normalize, and then return to your relying party. Based on the permissions request you set above you should see something this:
** UPDATE **
Some of you may be wondering about this AccessToken claim. Part of the ACS configuration asks for a set of permissions to request, and these permissions are tied to this access token. Instead of receiving everything within claims, you need to make a separate call to Facebook to get these details by using the access token.
Dominick Baier has a good article explaining how to accomplish this: http://www.leastprivilege.com/AccessControlServiceV2AndFacebookIntegration.aspx.
** END UPDATE **
For those of you who want to federate with Facebook but don't like the idea of writing OpenAuth goo, ACS easily simplifies the process.