Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Live Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
Online Services
Live Services SDK
 Core Concepts of Delegated Authenti...
Collapse All/Expand All Collapse All
Core Concepts of Delegated Authentication

  • Delegated Authentication is a protocol that enables a service to impersonate a client when connecting to a network service. By using Delegated Authentication, Web sites can be used to read, write, delete, and update user data. This topic briefly explains how Delegated Authentication works in the context of Windows Live™ and shows how it should be implemented in a Web application.
 Overview of Delegated Authentication

Delegated Authentication is based on a block of information, called a consent token, that is provided to your Web site by the Windows Live ID service for a given resource provider (such as contacts and photos). To obtain a consent token for use at a particular resource provider, you must first request it from the user by means of the Windows Live ID consent service. Your application must then manage the authentication data that is returned. For detailed information about how to request and manage consent, see the Windows Live Delegated Authentication SDK.

Delegated Authentication is handled in the following phases: requesting consent, processing consent, and refreshing consent. At any time, Windows Live ID users can manage the consent they have previously granted for access to their data.

Requesting Consent

You request consent for specific offers and actions from a resource provider by sending consent information to the consent-request URL for the Windows Live ID consent service. The consent service then displays the consent-request user interface (UI) to the Windows Live ID user, enabling him or her to grant or deny consent to the requested offers and actions. The consent service then returns a response to your Web site's return URL (RU).

The request URL is in the following format:

https://consent.live.com/Delegation.aspx?RU=...&ps=...&pl...

RU — The URL of the page on your Web site to which the consent service redirects users (along with the action, consent token, and application context) after they have successfully provided consent information.

ps — A comma-delimited list of permissions, describing the offers and actions provided by the resource provider to which you are requesting access.

pl — The URL of the page on your Web site, called the privacy policy URL, to which the Windows Live ID consent service redirects users to view the privacy policy of your Web site.

For more information about the request URL, see Requesting Consent.

Processing the Consent Token

In response to your request for a consent token, the Windows Live ID consent service returns one. It is structured as follows:

delt=...&reft=...&skey=...&offer=Contacts.Read:1196725520;&exp=1196725520&lid=...

Your application will need to parse the consent token, and then decrypt and URL-decode the various portions to get the required data. The raw consent token is base 64 encoded, and the ampersand (&) and equals sign (=) characters are URL escaped. The Windows Live Delegated Authentication SDK has an example application that demonstrates how to do this.

The consent token contains the following information.

  • Delegation token — an encrypted token passed to the resource provider whenever an offer or action is invoked. The resource provider uses the delegation token to verify the consent information stored with Windows Live ID for that user. Delegation tokens expire quickly, so must be refreshed on a regular basis.
  • Refresh token — an encrypted token passed to the resource provider to refresh an expired delegation token.
  • Session key — used by the resource provider to encrypt and decrypt data when transferring it to and from Windows Live ID. The session key is included in the delegation token. Your Web site typically does not need information about the session key.
  • Offer — a list of offers, actions, and offer expiration dates, delimited by semi-colon (;) characters, in the following format: <Offer>.<Action>:<Expiry>;...
  • Expiry — the date and time at which the delegation token will expire. The date and time in exp is represented as the number of seconds elapsed since January 1, 1970. If a delegation token has expired, you must refresh the consent token to receive an updated delegation token for use with the resource provider.
  • LID — the identifier for the location of user's data for this service.

Requesting User Data

When a request for user data is made, the request header must contain an up-to-date delegation token, and the request URL must contain the LID for the service being requested. An example follows.

// Request URL:
https://service.live.com/@C@[SignedIntLID]/ServiceName
// Request (authorization) header:
Authorization: DelegatedToken dt="[delegation token]"
Note:
The LID must be passed as a signed int64 value, and preceded by "@C@". The following snippet demonstrates how to convert the value. 
long SignedIntLid = Int64.Parse(lid, System.Globalization.NumberStyles.HexNumber);

Refreshing Consent

Your application will need to check the expiry of the delegation token, and refresh it if it is out of date. This happens by making a call to the refresh URL:

https://consent.live.com/RefreshToken.aspx?RU=...&ps=...&reft=...

The refresh URL contains references to your return URL (RU), the permissions being requested (ps), and the refresh token (reft). Unlike requesting consent, no user interface is displayed to users when you refresh consent, nor is a return URL required to receive the consent token. Instead, the consent-refresh URL provides a direct response to your Web site in the form of JavaScript Object Notation (JSON) output. The response from the consent-refresh URL contains either the refreshed consent token for your Web site or a string containing a 32-bit integer value that represents the error code for the error that occurred. The following code snippet shows a sample JSON response:

{"ConsentToken":"delt%3dEwCoARAnAAAUgxwUrFTrj0j98kTTv4OX%252FOkhSc2AADHt9dXtiWa4afIM1AtKBgDzW2LOYBmExjIAumf%252B33MyPpGSnwrmtOc2aKG0Oz008Jg6a9Ss8a6L4zi8Za9gT85eqqdS0HNJZW9xAUoD2MOqUz7RxqY%252FpNhAWm6ndhFTj9VWWZYi7zIJJU7RgrIXEJrmQsHSKN1%252B2Iot56mknEECA2YAAAi5VYs8bPiGofgAEiVBGu8ve8kv459FJn8ioXFJMR4f5EYNJqxMXG8tZhe87ylkvESebImX%252B4T8EGxxgDBTTHmEnK5PtoxJDTLJCSz4UJwRPAS0KW2H5TIi7Ecu6dZ5FbspeKlPCi7pxjevW1WAHuoJY9oow%252FgUCZhcxCusUg2Cg6LmpSm0KwacVzaXLEOwwpfUXtFSwpPsU8w8G9syt4%252F0k1W4HJmdrqU1xqHO7ZEX3JBWpKBscNbKr5z3qCkO2tpW%252BBjFEgy8w%252Fc5wb66At7V4Vs1ccbiBJ7pC%252F0VjyfzKfBYNP2zniAmepap2jY780q73Czc10w0bfMr54cKMaDrK6kAAA%253D%253D%26reft%3dF7BJdi2ojtPWXv7qVCKrhD0kU35Rf1k4wz0nFxgB33czSkOgk0Ht5n8LGLZW2Mgo06dpFYonRF0e0hasWS91l37cf8sq2NaxyXJASrEdKoYOApPUBI6RqYnDSBgkNqKPQtUbIN%252F%252FXQ%252B7qUnzyWvnSA%253D%253D%26skey%3diS30MXEnIJj7K6HpwUBrXR5isE9rN9zq%26offer%3dContacts.View,Contacts.Update%3a1228350847%26exp%3d1196836447%26sig%3dC1itgV6AL7%252F%252BJFnML1unjGZ6nNNjQsrb8%252BcTtmNAzp8%253D"}

Managing Consent

At any time, Windows Live ID users can manage the consent they have previously granted for access to their data. Consent management includes the following.

  • Revoking consent for offers and actions
  • Changing granular permission settings for offers and actions

Following is the URL for the Windows Live ID consent service.

https://consent.live.com/ManageConsent.aspx
 See Also

Other Resources

Windows Live Delegated Authentication SDK
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Site Feedback
Page view tracker