I did write a post a few weeks ago that described how to enable anonymous access to SQL Azure OData feeds (Consuming SQL Azure Data with the OData SDK for PHP), but I had a few things to learn about AppFabric access control before I felt comfortable writing about authenticated access to these feeds.

He starts from the Azure side, creating a sample OData feed and adding permissions to only allow access to a specific (database) user for the feed. You'll use a set of data to connect to the feed - a username, a secret key, an issuer name and the OData endpoint address. Then, using the OData SDK he shows how to generate the needed classes with the automatic tool and use them to connect to the endpoint and retrieve data from the feed. He also includes a little snippet for those that might not want to use the SDK - an example using curl to connect and authorize the session.

I will again build a barpatron.php client (i.e. a customer) that requests a token from the AppFabric access control service (ACS) (the bouncer). Upon receipt of a token, the client will present it to the bartender.php service (the bartender) to attempt to access a protected resource (drinks). If the service can successfully validate the token, the protected resource will be made available.

You'll need to have an Azure instance set up and have already set up the scripts from his previous post to follow along. He updates the scripts to enhance with token checking and allowing the "patron" to request a token. Complete code is available for download.

In a post I wrote a couple of weeks ago, Consuming SQL Azure Data with the OData SDK for PHP, I didn't address how to protect SQL Azure OData feeds with the Windows Azure AppFabric access control service because, quite frankly, I didn't understand how to do it at the time. What I aim to do in this post is share with you some of what I've learned since then. I won't go directly into how to protect OData feeds with AppFabric access control service (ACS, for short), but I will use PHP to show you how ACS works.

He illustrates with an example from another blog about a night club with a bartender, bouncer and checking wristbands to make sure the patrons are allowed to drink. In this case, the "bouncer" is the Access Control Service, a built-in feature of your Azure instance. He shows how to set it up, configure policies and the PHP code for both sides of the equation - the "bouncer" to change the certification sent and the user with a "wristband" to send the credentials on connect.