4

Can anyone help shed some light on the implementation of the Live SDK (v5.6) vs what's happening in the Microsoft.AspNet.Identity.Owin.dll ?

The user id returned after successful authentication by the following: 

//MVC5 UserController for SSO with Microsoft Account
var result = await AuthenticationManager.GetExternalLoginInfoAsync();
var userId = result.Login.ProviderKey;

...differs from the identity being returned by:

//WebAPI 2 custom AuthFilter (performs HMAC, etc)
var liveAuthClient = new LiveAuthClient(clientKey, secretKey, redirectUrl);
var userId = liveAuthClient.GetUserId(authTokenFromHttpHeader);

In both cases the same ClientId and ClientSecret are being used by the Windows Phone 8 client app, MVC5 WebApp and WebAPI 2.

The id returned by the MVC5 website is 16 characters in length whereas the id extracted from the authentication token is 32 characters.

I thought that maybe the id from the client app is an MD5 hash, however they still don't match if I try to hash it.

Any ideas?

Craig Presti - MSFT
  • 1,135
  • 1
  • 12
  • 20

1 Answers1

1

I've finally worked out what was happening here, it seems that the ID returned by the LiveAuthClient is in some way specific to the Live SDK and no manner of massaging will get me what I need.

Instead with the WebAuthenticationBroker in WP8.1 Silverlight app pointing at https://login.live.com/oauth20_authorize.srf?client_id=the_clientid&scope=wl.signin&response_type=token&display=touch (where 'the_clientid' is the actual ClientID) I'm able to retrieve an access_token that can then be used to access the raw user ID as follows:

//get the UID
var accessToken = "the_token"; //replace with actual token
var meUri = new Uri(string.Format("https://apis.live.net/v5.0/me/?access_token={0}", accessToken));

var httpClient = new HttpClient();               
var response = await httpClient.GetAsync(meUri);
var responseString = await response.Content.ReadAsStringAsync();
var meObj = new { Id = ""};

meObj = JsonConvert.DeserializeAnonymousType(responseString, meObj);

When meObj.Id is MD5 hashed, it matches exactly the ProviderKey returned by the MVC5 web app!

Two links that were very helpful in understanding how to implement the WebAuthenticationBroker piece:

http://msicc.net/?p=4054 (Windows Runtime Apps)

http://msicc.net/?p=4074 (Silverlight 8.1 Apps)

Craig Presti - MSFT
  • 1,135
  • 1
  • 12
  • 20
  • This post was extremely helpful. I ended up doing the exact same thing. Thanks. I am surprised how few posts there are about LiveSDK and the LiveAuthClient.GetUserId method in particular. There is nothing at all in the docs about this method... I think it might be a pairwise id or something. – Ron Gilchrist Apr 22 '15 at 22:58