asp.net-mvcoauthdotnetopenauthwindows-live-id

How do I better control how DotNetOpenAuth uses Microsoft Account (Live ID)?


I am using the new OAuthWebSecurity wrapper for DotNetOpenAuth to allow users to log in to an MVC4 application with their Microsoft Account (aka Windows Live ID).

I have registered the microsoft client:

OAuthWebSecurity.RegisterMicrosoftClient(clientId: "...", clientSecret: "...");

It is all working, and I love the simplicity of it. But how do I refine what it's doing?

After selecting to log in with their Microsoft Account, the user is taken to a screen asking them to log in:

Step One

When they log in, I want them to be able to check the "keep me signed in" box.

Microsoft then asks for them to OK my access:

Step Two

But I don't actually want that much access. All I want is their name and email address. And maybe their picture. I certainly don't need or want access to their contacts and friends. This is going to scare off my users.

Where can I pass parameters to OAuthWebSecurity or DotNetOpenAuth to control this?

So the user clicks yes and all is ok. However, when they leave and come back to my site - the "keep me signed in" option should have been honored. It isn't. Instead, they see this:

Step Three

I don't understand the message that says:

Because you're accessing sensitive info, you need to verify your password.

What sensitive info? The contacts/friends I didn't want to begin with? Or something else?

How can I get around these two issues to make my application more user-friendly?


Solution

  • You need to pass the scopes you want, you can just use wl.signin which will sign users into your application if they are already signed in to live without asking for the credentials again.

    Check http://msdn.microsoft.com/en-us/library/live/hh243646.aspx