Requesting token from ACS endpoint in exchange of identity Provider token

Question

I followed the official tutorial(http://msdn.microsoft.com/en-us/library/hh674475) for requesting the ACS token in exchange of Identity Provider(Facebook) Token via SWT Token request.

I tried every possible thing and I'm unable to get rid of this error

ErrorCode:400:SubCode:T1019:Detail: Inavlid SWT token. The wrap_assertion value is not a SWT assertion

Note:

1. I have already verified Issuer= [Realm under Edit Identity provider Page]
2. Signing key is the same symmetric key as shown under Token signing key
3. I am also wrapping facebook accesstoken as claim in my SWT token to ACS endpoint in order to get ACS token in return.

Correct me if I am doing something wrong, yeah i googled a lot about this but found nothing to resolve!

P.S: I have also tried Password Token request with my Service Identity and it just works fine.

Answer 1

Your problem is that you seem to be that you're dealing with Facebook directly and then giving ACS the access token. That's not the ACS model for Facebook. The basic model is that ACS deals with Facebook first, not your app. The way this works is:

1. The end user requests an access token from Facebook. This happens either directly though ACS (for example, by making a WS-Federation sign-in request) or to a URL specified by ACS (through IdentityProviders.js).
2. The user logs in at Facebook.
3. The auth code is sent to ACS.
4. ACS exchanges the auth code for an access token and retrieves some user data. This is run through rules, packaged into a token, and sent to your RP. One of the claims in this token is the access token, which your RP can then use to make further Facebook calls.

ACS doesn't support a model where you get the access token yourself, which seems to be what you're trying to do.

Answer 2

Two things will fail here.

First is that I doubt Facebook gives you a valid SWT Token. They give just a singed string which they call "token". And this thing is not a valid SWT Token that can be used as SWT Token in other STS-es (such as ACS) (I might be wrong here, as I am not an expert in FB, but since these errors, it is very likely that I am correct). So, if the token from FB is not valid SWT Token, your story ends here.

Next thing is - you are generating SWT token on your end. Meaning that now you are signing the token. But you say you need to transform a token from Facebook. Well, there is no way for you to sign a token with Facebook's signing key! You are singing the token with your ACS's key, which makes it invalid, because you present it as Facebook's token.

In short - you cannot use the Facebook Graph API token in the way you are trying to. Please describe the wider problem you are trying to solve, so we can provide adequate help.