5

I have a client that would like to use SkyDrive as a cloud storage for a web site. This website will not be asking the user of the site for their SkyDrive account to show them their files, but rather the owner of the website will be storing some files in SkyDrive and would like to share them with users logged in to his site. My question is, how can I send credentials to the SkyDrive API directly from the back end PHP code of the website?

The API docs on Live Connect (http://msdn.microsoft.com/en-us/library/live/hh243647.aspx) seem to focus on presenting the user with a log in form to send the user's credentials to the service. Again, that is not what I want. The user of the web site should not have to do anything but go to the page and they will see the files mirrored from the SkyDrive account. The credentials should be stored on the server and sent when the user requests the page.

I asked a question similar to this about Google Docs (How do I connect to the Google Calendar API without the oAuth authentication?). The answer to that question was to setup a temporary script to get a refresh token that could be used over and over again to authenticate. I tried that and it did work. However, I am unsure of how long the refresh token lasts and if that same method would work with the SkyDrive API.

Edit: After doing some more research, the Live Connect Docs (http://msdn.microsoft.com/en-us/library/live/hh826540) say:

After a user provides consent, Live Connect gives your app a special code, or access token, that lets your app work with that portion of the user's info to which he or she consented. Typically, this access token is good for about one hour. After this hour is up, your app won't be able to work with the user's info anymore—it must ask the user to go through the sign-in and consent process again. To get around this, you can ask the user to consent to the wl.offline_access scope. This gives your app an additional code, called a refresh token, that your app can use to get a new access token whenever it needs one—even after the user signs out—typically, for up to a year. However, the user can revoke your app's access at any time. If a user chooses to revoke consent to your app, no corresponding access tokens or refresh tokens will work—your app must ask the user to go through the sign-in and consent process once again.

So, it looks like the refresh token lasts for a year. That means I could rig something to get a refresh token, store that, and on each page request, use the refresh token to get an access token and display the data. However, once a year I would have to update the refresh token for this client and store it. Does that sound right and is this the best way to do it?

Community
  • 1
  • 1
Jon Hargett
  • 1,133
  • 2
  • 11
  • 19
  • I think their's is like fb aint it? It just goes on and on, if you store the token it should work for long periods of time. You will ofc have to show the user their login page at least once, you can't do it unauthorised, hence the example shows you that. – Sammaye Aug 31 '12 at 20:15
  • @Sammaye as far as I can tell, he doesn't want the visitor to have to login to skydrive, but login with one account that the owner of the site sets up and list the files associated with that account to share the files. So list/share files from a skydrive account on his site with his site supplying the credentials. – Jonathan Kuhn Aug 31 '12 at 20:25
  • @JonathanKuhn Hmm yes it can be read like that, he might need to clarify – Sammaye Aug 31 '12 at 20:29
  • Though you can acheive this by dong the same, this happens on WP facebook auto share. The "main" account logs in and all users on that app can then use the token, so you just use the token you got originally setting up your site to login users to your account, should be easy enough in my mind – Sammaye Aug 31 '12 at 20:32
  • Yes, @JonathanKuhn was right. I do not want the visitor of the website to login with their own credentials. I want to log in once with the web site owner's credentials. If the refresh token does indeed last forever, then I can rig something to retrieve a refresh token once, store it and then just use that from then on. – Jon Hargett Aug 31 '12 at 21:06

1 Answers1

1

OAuth 2 has a special flow exactly for this, called Client Credentials Grant.

Google already implements this with Service Accounts and Client certificates, as was mentioned in this answer to your other question.

However, Microsoft thus far does not implement that flow, so your best way at the moment is to use the workaround you're already using for Google Docs.

Community
  • 1
  • 1
Jan Gerlinger
  • 7,361
  • 1
  • 44
  • 52
  • Thanks for the answer. It does appear that the workaround is the best option for SkyDrive. However, if the refresh token does expire it will be a pain to have to redo that, even if it is once a year. – Jon Hargett Sep 04 '12 at 18:33