Consent Tokens

Cc287670.note(en-us,MSDN.10).gifNote:
This topic describes functionality that will be obsolete. This functionality is provided only to support legacy applications. Live Connect incorporates features that provide equivalent functionality.

Delegated Authentication is based on a block of information, called a consent token, that is provided to your Web site by the Windows Live ID service for a given resource provider. To obtain a consent token for use at a particular resource provider, you must first request it from the user by means of the Windows Live ID consent service. For more information about requesting a consent token, see Requesting Consent.

If the Windows Live ID user grants consent to one or more offers and actions presented by the resource provider, your Web site receives a consent token that you can then use with that resource provider to perform whatever actions the resource provider allows. For more information about offers and actions, see Offers and Actions.

Cc287670.note(en-us,MSDN.10).gifImportant:
Your Web site should store consent tokens in a protected location because they can be reused for a considerable length of time, depending on their expiration date.

The consent token consists of six parts, delimited by ampersand (&) characters, appended as a set of query-string parameters to the return URL that your site specified when requesting consent. A typical consent token resembles the following:

delt=...&reft=...&skey=...&offer=Contacts.View:1196725520;&exp=1196725520&lid=...

The following table describes the parts of the consent token.

Consent token element Description

Delt

The delegation token, an encrypted token passed to the resource provider whenever an offer or action is invoked. The resource provider uses the delegation token to verify the consent information stored with Windows Live ID for that user. Delegation tokens expire quickly and so must be refreshed on a regular basis. Your Web site can try to refresh the delegation token before attempting to invoke any offer contained in that consent token. For more information about refreshing a delegation token, see Refreshing Consent.

For more information about delegation tokens, see Delegation Tokens.

reft

The refresh token, an encrypted token passed to the resource provider to refresh an expired delegation token. For more information about refresh tokens, see Refresh Tokens.

skey

The session key, used by the resource provider to encrypt and decrypt data when transferring it to and from Windows Live ID.

The session key is included in the delegation token. Your Web site typically does not need information about the session key.

offer

The offer list—a list of offers, actions, and offer expiration dates, delimited by semi-colon (;) characters, in the following format:

<Offer>.<Action>:<Expiry>;...

The offer expiration date in Expiry is represented as the number of seconds elapsed since January 1, 1970.

The user can explicitly grant or deny consent for offers and actions provided by a resource provider, and can also specify offer expiration dates. If an offer and action has expired, you can attempt to refresh the token for that offer and action before attempting to call the resource provider. For more information about refreshing an offer and action, see Refreshing Consent.

Consent can also be granted implicitly for certain offers and actions, depending on several factors for both the application provider and the resource provider. For more information about offers and actions, see Offers and Actions.

exp

The date and time at which the delegation token will expire. The date and time in exp is represented as the number of seconds elapsed since January 1, 1970.

If a delegation token has expired, you must refresh the consent token to receive an updated delegation token for use with the resource provider. For more information about refreshing consent tokens, see Refreshing Consent.

lid

The identifier for the location of the user's data for this resource provider.

Other Resources

Live Connect

Show: