Ajay Bothra


Is it possible to use the Windows Live Id Authentication without displaying the Live ID Client Pop-Up window that appears Can my client application UI itself accept username and password from user and then use these for authentication from Windows Live Id SDK

Also if the user has saved his credentials (username and password) while signing in using Windows Live ID Client then is there some way in which these credentials can be used while signing in Hotmail or MSN or Live websites. i.e. if the user has already signed in Live ID Client can he be automatically signed in while using Hotmail or Live. The Live ID Client user credentials do persist across Live Messenger and vice versa. However, is similar thing possible between Live ID Client and the websites also




Re: Using Live ID Authentication and User credentials Information ?

Alex Media


Ajay,

Regarding your first question: even though I have no experience whatsoever with the Client Auth SDK, I don't think it is possible. By using only one UI for the sign-in process of various applications, the end-user is always seeing a similar dialog, thus creating trust. The dialog also tells the user who created the application, that it is not made by Microsoft. It can also access the local credential store, which provides the user with the convenience of remembering usernames and passwords, like Messenger and the Sign In-assistent offer.

When signing in, the module encrypts the credentials received from the form, negotiates with the Live ID-server and finally authenticates the user by returning a user ID or something similar. There are some security measures (like encryption) in place that are used before the authentication request is handed off to the Live ID-servers. If you could implement all this yourself, that would mean a security breach as Microsoft has to hand off their secret keys (used for encrypting and decrypting the server message), which is unwanted as it would risk the entire security model of Live ID. Also, it would mean you would have to implement a lot of error checking and exception-handling, which can be tricky.

Basically, you are planning to reinvent the wheel. But instead of using the perfectly round one that everybody uses and trusts, you're creating a square one of what you keep chipping pieces off until you reach a point where it is roundish, but still doesn't perform as good as the other wheel does.

Regarding your second question: when you click the mail or Spaces-button in Messenger, a temporary file is created containing a form that is submitted to the Live ID-servers, which contains things like the user's ID, the requested return URL, etcetera. When the browser launches, this form is submitted to the server, which handles the authentication request and redirects the user to the given URL. Only at that time the user is web authenticated.

So, if you would delete all your cookies and profiles and temporary files (basically create a new profile) and then sign in to Messenger, but do not click a mail or Spaces-button, but then browse to www.hotmail.com, you are asked for your username and password (assuming the Sign In-assistent is not active) even though you are logged in in Messenger. This is due to security measures put in place by your browser.

I don't know if there is a possibility to create a similar experience using the Client and Web Authentication SDK's, my guess is it is not possible as it would bypass the security warning that Web Auth gives ("This site is not affiliated with Microsoft, blablabla").

I hope this answers your questions, let me know if there is something unclear about my reply Smile

Alex






Re: Using Live ID Authentication and User credentials Information ?

Juan Pelaez

Is Clear.

But what about if I want a little change in the Live Login Page. For example the logo from my site just to alert the users we are using live for login but you still are in my site.

Or what about use another StyleSheet.

I am not sure if it is clear for you but i dont want to change or break live security, just use the service but with a user experience better for my customers than have a page, click login, go to another page witch have nothing to do (in visual or experience) with my site, and then back to my site.

And if my page use silverlight o flash or something better than html the break in the experience is bigger.

Could you help me with some direcctions to this issue

Thanks in advance.

Juan.







Re: Using Live ID Authentication and User credentials Information ?

EdAndersen

The way I see it, this is to stop phishing attempts for the same reasons that the authentication ID system for websites require you to divert to the microsoft.com site to enter credentials. By providing a pre-baked login window, applications don't get access to Live ID passwords, a far safer option in my opinion.






Re: Using Live ID Authentication and User credentials Information ?

Alex Media

It is currently not possible to alter the Live ID authentication page in any way. There is no way of adding stylesheets or custom branding.

Custom branding is limited to RPS-customers (that is a sort of premium SDK, which will cost you big bucks), and stylesheets would allow you to remove/replace key elements of the Live ID-page, such as the "this site is not affiliated with Microsoft"-notice.

A possible solution to Flash/Silverlight is opening a new window in which you authenticate your users, then make a custom handler that uses Javascript to communicate between windows (with parent.opener)... it is a bit tricky but it should do the trick.





Re: Using Live ID Authentication and User credentials Information ?

Ajay Bothra

Alex,

Firstly, i didn't want to re-invent the wheel. I just wanted to change its look and feel so that it matches with the looks of my vehicle. Similar, to what Juan wants.

And i thought it may be possible because in a similar case for using Live Contacts API, i may obtain the authentication ticket without using the Windows Live ID Client SDK. I may take username and password input from user and use these to obtain the Authentication ticket for accessing his contacts.

And for my second question, does it mean that the saved credentials for Live messenger are stored seperately from the saved credentials for Hotmail or MSN For Hotmail or MSN they may be stored in some cookies. So, maybe Live Messenger stores somewhere else or different cookies which is shared with the Live ID Client.

- Ajay Bothra





Re: Using Live ID Authentication and User credentials Information ?

Alex Media

Ajay,

Firstly, I like your comparison Wink I think the Live ID-team has made a better decision on getting credentials from a user than the Live Contacts-team. I could build a Live ID-clone using the Contacts API to verify user credentials... while that's impossible with the Client SDK/Web Auth SDK. If you really want to use a custom Sign In UI, you could (mis)use Live Contacts... but I'd advise you to use the supplied Client SDK with it's UI.

About your second question: Hotmail and MSN use Passport (now Windows Live ID) for their autentication needs. Passport stores it's information in cookies on your computer, they persist for longer time (I though a year, not sure).

When Messenger is installed, a "Credential store" is created for Windows Live, which all client-side Windows Live-applications tap into, including the Client SDK. If you install the Windows Live Sign-In Assistent (it's enabled in the Messenger-install by default) it allows Passport to tap into that Credential store too, thus providing a single sign-on experience. This only works in Internet Explorer by the way, a Firefox-version was promised but never released.

To sign on from your desktop-application to a webbased application using the Client and Web SDK's, there is currently no other way than asking the user to reauthenticate, it should be only one click for them (if they are using the Sign-In Assistent) so it isn't much work. But I agree with you, it would be nicer to have it done automatically.





Re: Using Live ID Authentication and User credentials Information ?

Alex Media

After reading the Client SDK I found this: Opening an Authenticated Browser Window, it allows you to sign in and open Hotmail from within your application, I don't know if it can be used for URL's using the Web Auth SDK though...

I think it is not possible because in Identity.OpenAuthenticatedBrowser everywhere "Windows Live ID site or service" is mentioned...