0

I have the following method in the back end, and I want to get the access id for user who logged in via live sdk:

public class AccountController : ApiController
{
    [HttpGet]
    [Route("Account/Authenticate/LiveUser")]
    public void AuthenticateLiveUser()
    {
        //TODO: Inspect the request query to get the access token
    }   
 }

On the front end I have the following code: 

    <script type="text/javascript">
        WL.init({
            client_id: '00000000XXXXXXXX',
            redirect_uri: 'http://XXXXXXXXXXXXX.us/Account/Authenticate/LiveUser',
            scope: 'wl.signin',
            response_type: 'token'
        });

        WL.ui({
            name: "signin",
            element: "signin"
        });
      </script>

I was able to open the live sign on page, signed in and the live server responded with the following message (as seen from fiddler):

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Content-Type: text/html; charset=utf-8
Expires: Sat, 18 Oct 2014 19:52:24 GMT
Location: http://XXXXXXXXXXXXX.us/Account/Authenticate/LiveUser#access_token=<<ACCESS_TOKEN>>&token_type=bearer&expires_in=3600&scope=wl.signin%20wl.basic%20wl.emails&state=redirect_type%3dauth%26display%3dpage%26request_ts%3d1413662001911%26response_method%3durl%26secure_cookie%3dfalse&user_id=<<USER_ID>>
Server: Microsoft-IIS/7.5
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"

NOTE: The redirect above forwards the user to the correct address, and it includes the access token and user id, censored in the above code.

However the request that goes to my server is as follow, note the absence of Access Token and User Id

GET http://XXXXXXXXXXXXX.us/Account/Authenticate/LiveUser HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US,en;q=0.8,ja;q=0.6,zh-Hant-HK;q=0.4,zh-Hant;q=0.2
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: nsyncservices.us
DNT: 1
Connection: Keep-Alive

Going back full circle, I am debugging my AuthenticateLiveUser service handler, but there is no access token or user id, that will allow me to access the live services.

What am I doing wrong? How can I get the access token and user id to my server side code?

Alwyn
  • 8,079
  • 12
  • 59
  • 107

1 Answers1

1

The answer will depend on what you intend to do with the token from your server. If you just need to make a couple quick service calls, it's usually sufficient just to write some JS that sends the token to your server.

If you want to hold on to the token for more than an hour, everything changes. The access token itself will expire so what you really need is an auth code which can be used to get a long-term refresh token which can in turn be used to get short-term access tokens.

Read more about this at http://msdn.microsoft.com/en-us/library/hh243649.aspx and check out the SDK samples here: https://github.com/liveservices/LiveSDK-for-Windows/tree/master/src/Web

Fwiw, the reason your server doesn't see the access token in the redirect is because it appears after the '#' in the URL. This is intentional for security reasons. While all of this sounds complicated it is actually a textbook implementation of OAuth 2.0 so if you may find value in reading that spec.

Robert Levy
  • 28,747
  • 6
  • 62
  • 94
  • Robert, I followed the example found here, almost to the letter: http://developer.telerik.com/featured/live-connect-authentication-web/ If I understand this correctly, the live SDK is supposed to take care of a lot of the leg work for me. – Alwyn Oct 19 '14 at 02:11
  • The example I was copying isn't working for offline access, there is also the problem of the redirect uri being different from the mobile uri. So response_type has to be code, not token. – Alwyn Oct 19 '14 at 07:01