Overview of OAuth WRAP

Current information about Live Connect is now available in the Windows Live Developer Center. The information in the following sections is provided for legacy purposes only.

The information that users store in Windows Live services, such Windows Live Contacts, can be private and confidential. As a result, third-party applications that want to access this information must have the consent of the user.

To ensure that applications can access a user's information only with that user's consent, the Windows Live SDK uses OAuth Web Resource Authorization Protocol (WRAP). OAuth WRAP uses an exchange of tokens over SSL to protect a user's information. These tokens are generated by requesting the user to approve, or to provide consent, to an application. This approval is limited in duration and in the type of information that the application can access. For example, a user might allow one application access to view and update contacts, while allowing another application permission to access Windows Live Messenger functions, such as online status.

OAuth WRAP is straightforward to implement in an application. The following diagram illustrates the flow of information during a typical exchange that uses OAuth WRAP.

OAuth WRAP process flow

The basic authorization flow for OAuth WRAP is as follows:

  1. The user accesses an application.
  2. The user is directed to the Windows Live consent service (https://consent.live.com/Connect.aspx) to acquire a verification code.
  3. The user consents to allow the application to access information that is stored in a Windows Live service.
  4. The user is returned to the application with a verification code.
  5. The application uses the verification code to contact the Windows Live access token endpoint (https://consent.live.com/AccessToken.aspx).
  6. The Windows Live consent service returns an access token and a refresh token to the application.
  7. The application uses the access token to acquire user data from a Windows Live service, such as Windows Live Messenger.
  8. When the access token expires, the application uses the refresh token to get a new access token through the refresh token endpoint (https://consent.live.com/RefreshToken.aspx). This process continues until the user's consent expires. At that point, the application can request the user to renew its consent through the Windows Live consent service.

To learn about OAuth WRAP, see the OAuth WRAP specification at http://go.microsoft.com/fwlink/?LinkId=194166.