The Web Authentication Flow
shows the Web authentication flow:
|Figure 1. Web Authentication Flow: The figure shows how credentials and authentication tokens flow from a web application to Windows Live and back.|
System Requirements for Web Authentication
- A User visits your Web site.
- Your site displays a sign-in link in an IFRAME element.
- The user clicks the sign-in link.
- Windows Live ID returns the sign-in page.
- The User supplies Windows Live ID credentials on the sign-in page and submits the form.
- Windows Live ID validates the user's credentials.
- Windows Live ID authentication server redirects the user to your site along with an authentication token as a form post parameter. This token is proof that Windows Live ID has verified the user's identity. Your site can decrypt this token to obtain the user's unique site-specific identifier.
- Your site uses the unique site-specific identifier to store or display protected or personalized content. You also incorporate the Live Contacts Control and Live Spaces Photo Controls into your site.
Web Authentication uses industry-standard HTTP protocols and does not depend on any precompiled or executable components. You can implement it on any Web-development platform. The SDK
provides samples for ASP.NET, Perl, Java, Ruby, Python, and PHP. It uses the standard encryption algorithm available on these platforms.
Getting Started with Web Authentication
Do the following to start using Windows Live Web Authentication in your Web application:
Registering Your Web Application
- Register your Web application.
- Display the sign-in/sign-out link.
- Handle responses from Windows Live ID authentication server to implement login, logout, and clear cookie.
- Incorporate Windows Live Controls.
- Integrate with Windows Live APIs to access other Live services via delegation.
To use Windows Live ID Web Authentication on your site, you must use a valid Live ID to register your Web site with Microsoft as an application. The Windows Live ID application management page
assists you with the registration process, issues you an application ID for use with the service, and provides a place for you to manage all the applications you register.
When you register your application, you must provide the following information:
- Application Name: The unique and friendly name you use to refer to your application.
- Return URL: The URL of the page on your Web site that handles responses from the Windows Live ID authentication service. The service redirects users and their authentication tokens to this URL after they have successfully signed in, signed out, or cleared their cookies.
- Secret Key: A secret key shared between you and Windows Live ID used to encrypt and sign all tokens that Windows Live ID sends to your site. The secret key must be in a format specified by Windows Live ID. Choose one that is difficult to guess, and create security procedures to manage this key.
Displaying the Sign-in/Sign-out Link
You need to insert the sign-in/sign-out link into your page to incorporate Windows Live ID. To do that, include the following HTML code in your site, replacing the values for appid
, and style
with proper values for your implementation:
is the application ID you received when you registered your site. Context
is the parameter holding the user state for your application and gets returned in the response from Windows Live ID authentication server so that you can preserve user state across the authentication. Style
is the set of attributes that makes the sign-in IFRAME
element fit your site visually.
Handling Responses from Windows Live ID
When Live ID users successfully sign in or out of your site, the Windows Live ID authentication service responds and redirects them to the return URL you specified when registering your Web application. This URL must correspond to a dynamic page that receives and appropriately processes this response.
The response has an action
query-string parameter that tells your site what it needs to do. Here's the list of possible action values and what your site must do:
Incorporating Windows Live Controls
- login: Your site extracts the user's encrypted authentication token from the HTTP POST response and stores it in a session cookie to keep the user signed in to your site during multiple page views.
- clearcookie: Your site clears the session cookie you created at sign in, and returns a Graphics Interchange Format (GIF) image to the service to indicate that the user has been signed out.
- logout: Your site clears the session cookie and redirects the signed out user to a page on your site that is appropriate for unauthenticated users. Listing 1 demonstrates the handling of the different actions.
Include Windows Live Controls
Windows Live ID Delegated Authentication
Create a mashup of rich user content from various Live services in your application with the user's explicit consent using the Delegated Authentication technology. With your site already using Windows Live ID Web Authentication, this is a simple additional step.
Through delegation, the Windows Live ID users of your site have the ability to consent to the scoped release of their personal information to you. For example, the user could consent to share their Live Calendar with your site and your application can then access the calendar to retrieve and edit data.