4

I am using the new OAuthWebSecurity wrapper for DotNetOpenAuth to allow users to log in to an MVC4 application with their Microsoft Account (aka Windows Live ID).

I have registered the microsoft client:

OAuthWebSecurity.RegisterMicrosoftClient(clientId: "...", clientSecret: "...");

It is all working, and I love the simplicity of it. But how do I refine what it's doing?

After selecting to log in with their Microsoft Account, the user is taken to a screen asking them to log in:

Step One

When they log in, I want them to be able to check the "keep me signed in" box.

Microsoft then asks for them to OK my access:

Step Two

But I don't actually want that much access. All I want is their name and email address. And maybe their picture. I certainly don't need or want access to their contacts and friends. This is going to scare off my users.

Where can I pass parameters to OAuthWebSecurity or DotNetOpenAuth to control this?

So the user clicks yes and all is ok. However, when they leave and come back to my site - the "keep me signed in" option should have been honored. It isn't. Instead, they see this:

Step Three

I don't understand the message that says:

Because you're accessing sensitive info, you need to verify your password.

What sensitive info? The contacts/friends I didn't want to begin with? Or something else?

How can I get around these two issues to make my application more user-friendly?

Rowland Shaw
  • 37,700
  • 14
  • 97
  • 166
Matt Johnson-Pint
  • 230,703
  • 74
  • 448
  • 575
  • Did you ever work around this? I'm having this issue logging into Azure in Powershell and there's no action you can perform on the page – Dan Csharpster Aug 25 '16 at 15:38
  • @DanCsharpster - You may have the same UI experience, but in my case I was controlling the application's interactions with the identity provider (MS Account) directly, and choosing the proper scope fixed the problem (as in the accepted answer). – Matt Johnson-Pint Aug 25 '16 at 16:34

1 Answers1

4

You need to pass the scopes you want, you can just use wl.signin which will sign users into your application if they are already signed in to live without asking for the credentials again.

Check http://msdn.microsoft.com/en-us/library/live/hh243646.aspx

simple-thomas
  • 671
  • 7
  • 20
  • 1
    Thanks for the link. It actually looks like the `wl.basic` scope is what I am using, and that matches the behavior I described. It appears I need to remove the `wl.basic` scope from the request. I have overridden the `MicrosoftClient.GetServiceLoginUrl` to remove the scope from the call to `oauth20_authorize.srf`, but now it doesn't seem to work at all. – Matt Johnson-Pint Feb 28 '13 at 13:24
  • You need basic access to the account, that's the minimum Microsoft asks for I believe. – simple-thomas Feb 28 '13 at 13:28
  • Looks like I can get the behavior I'm looking for by passing `wl.signin` instead of `wl.basic`. Do you see any problem with this? – Matt Johnson-Pint Feb 28 '13 at 13:31
  • 1
    Not at all, wl.signin checks if the user is already signed in to Live and doesn't ask for the credentials again, it gives you the Token right away. – simple-thomas Feb 28 '13 at 13:32
  • Cool. If you want to update your answer to reflect this, I'll mark it as the accepted answer. Thanks for steering me in the right direction. – Matt Johnson-Pint Feb 28 '13 at 13:36