Obtaining User Consent

Current information about Live Connect is now available in the Windows Live Developer Center. The information in the following sections is provided for legacy purposes only.

With Windows Live Messenger Connect, users control access to their data. Your website cannot access any of a user's information from Windows Live without prior consent from that user. You should request permission for and use only the minimum amount of data necessary to complete a particular scenario. Here are some examples:

  • If a user is signing up at your site and your scenario supports importing information about the user’s friends for viewing purposes only—that is, if this information can be viewed on your site but cannot be changed there—request permission to access only the user's profile and friends, and only for viewing.
  • If your site enables users to view and update information about their activities, ask for permission to update activity information but not other Windows Live user data.

Messenger Connect provides access to an authenticated user's data by using scopes. For details, see Messenger Connect Scopes.

The permission that the user grants is valid for one year, unless the user clears the Connect Automatically check box in the consent user interface. (The check box is selected by default.) However, the user can go to http://consent.live.com to revoke permissions at any time. After the user clears the check box, your site will have access for only three more hours.

After the access token expires or the user revokes permission, further attempts to access the user's data are denied (a 401 Unauthorized error is returned). To regain access, your site must obtain permission from the user again. If your site needs to access the Windows Live resources when the user is not present or without the user seeing the Messenger Connect consent screen again, you can store the access token with the user's profile.

If a user chooses not to grant permission, your site must handle the exception flow. For example, as part of the exception flow, your site may optionally request user permission for a reduced scope as appropriate. Note that users have no way to grant or reject individual permissions on the consent screen; the client (your site) controls the scope of the request.

The consent user experience progresses as follows:

  1. Your website renders a Sign In button either by means of HTML or by using the Messenger Connect <wl:signin> tag. If you use the <wl:signin> tag, you can add an additional attribute that displays the Sign In button only if a Windows Live cookie exists. (Cookies are created during the authentication process.)
  2. The user sees the Messenger Connect button on your site and clicks the Sign In button.
  3. A pop-up window opens, as shown in the following figure. It includes your logo and links to your Terms of Service and Privacy Statement pages. Here, you must clearly explain what you plan to do with the permission that the user will grant.
  4. The user can click What will I share? to see each permission that you are requesting.
    Requesting permission for sharing information