http://wp.me/p1fcz8-3fR describes my translation of the OAUTH2 delegation process, applied to the world of multiple listing services (and a 15 year, rather REST-ful like data services that distributes member entities and associated home listings).
For the first time, I was able to comprehend how ACS really does OAUTH - in the sense that it supports the process of a user connecting-up a data-consumer site with a data-producing site via a logon and consent process. Previous samples did little for me - merely translating saml blobs or cert blogs into SWTs.. stuffed into HTTP client headers.... Wow. It hardly captured the essence of OAUTH, as a blob translator and stuffer of blobs into HTTP Headers (rather than ws-trust APDUs)
Now, that particular sample has source code for its data-service side protected guard (module) - that shows ASP.NET pipeline events looking for OAUTH headers, verifying claims, and making principals. There is a partial SWT token handler, in support.
Since its all in source, and we now have the beta of the JWT security token handler, can I just configure ACS to now mint JWTs (rather than SWT) in the same scenario, and call the (beta) JWT security token handler from the protocol-inspecting module?