Access Control Service V2 and Facebook Integration

I haven’t been blogging about ACS2 in the past because it was not released and I was kinda busy with other stuff. Needless to say I spent quite some time with ACS2 already (both in customer situations as well as in the classroom and at conferences).

ACS2 rocks! It’s IMHO the most interesting and useful (and most unique) part of the whole Azure offering!

For my talk at VSLive yesterday, I played a little with the Facebook integration. See Steve’s post on the general setup.

One claim that you get back from Facebook is an access token. This token can be used to directly talk to Facebook and query additional properties about the user. Which properties you have access to depends on which authorization your Facebook app requests. You can specify this in the identity provider registration page for Facebook in ACS2. In my example I added access to the home town property of the user.

Once you have the access token from ACS you can use e.g. the Facebook SDK from Codeplex (also available via NuGet) to talk to the Facebook API.

In my sample I used the WIF ClaimsAuthenticationManager to add the additional home town claim. This is not necessarily how you would do it in a “real” app. Depends ;)

The code looks like this (sample code!):

public class ClaimsTransformer : ClaimsAuthenticationManager
public override IClaimsPrincipal Authenticate(
string resourceName, IClaimsPrincipal
return base
.Authenticate(resourceName, incomingPrincipal);

if (incomingPrincipal.TryGetClaimValue(
"", out
home = GetFacebookHometown(accessToken);
if (!string
new Claim(""
, home));
{ }


     private string GetFacebookHometown(string token)
var client = new FacebookClient
dynamic parameters = new ExpandoObject
        parameters.fields =
dynamic result = client.Get(“me”
, parameters);


This entry was posted in IdentityModel. Bookmark the permalink.

2 Responses to Access Control Service V2 and Facebook Integration

  1. Michael says:

    Hi Dominick. I have tinkered with ACS a bit. Can we hook a custom membership provider through it? If i want to authenticate through it will ACS lets say issue a SAML token against a membership provider table?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s