· Study the Windows Live ID SDK, especially web authentication and delegated authentication (there is also a Client Authentication for window form programs)
Øweb Authentication: Applicable intranet (conditions: As long as user can access to the intranet of the Web server and extranet) and extranet, this authentication method only verify the function of login, not for subsequent access to other information (such as login, I want to get friends list) to provide the interface.
Streamline processes:
(1) User request login A
(2) Our web server will build a Web site to the user, so that the user redirect to a similar www.login.live.com (followed by parameters, this belongs to the Live ID SDK a process, part) of the URL to login
(3) The user name and password entered, if verified through the Live ID server, the Live ID server will automatically redirect the user to a URL called ' ReturnUrl ' (this URL is to be filled in when we apply for AppID. AppID is a third party that wants to use the live ID SDK to apply for its own application.
"Summary" Web authentication throughout the process, our webserver does not deal directly with the live ID server, so there is no need to connect to the extranet requirements.
<?xml:namespace prefix = o ns = "Urn:schemas-microsoft-com:office:office"/>
Ødelegated Authentication: Applicable intranet (conditional, rear) and extranet, this validation is in addition to providing authentication Live ID login, but also for the Windows Live User data SDK (currently this user data contains three types of resources , Contacts, WebDev photo, data storage) are used for a proxy validation. That is to say, if you want to use the Windows Live User Data SDK, you must use the delegated authentication.
Streamline processes:
(1) User request Login
(2) Our web server will build a Web site to the user (this step is the same as the Web authentication principle, but with more parameters)
(3) If the username and password pass, the live ID server will first send this user information to the Live consent service (The purpose of this service is to let users authorize our Web server to access live user data), as shown below
However, if authorized, it will be skipped quickly, otherwise it would be to eject an authorization page for the user to authorize.
<?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml"/>
(4) If the user agrees to authorize our Web server in the third step, this time the Live ID server will redirect the user to the ' ReturnUrl ' mentioned earlier, At this time we can do different operations according to the return parameters (different authentication support different operations, Web Auth support log in, log out, ClearCookie, and delegated auth only support Delauth), In the case of delegated auth, what I did in ReturnUrl was to download my MSN Buddy list through the Contacts SDK of the Windows Live user Data SDK after validation and user authorization. It is only necessary to pass in the parameters related to the token obtained from the delegated authentication (delegated token and LocationID)
"Note" mentioned earlier delegate Auth support intranet, but there is a condition, that is the domain name problem: The first Web server should be the machine to c:/windows/system32/drivers/ In the Hosts file, 127.0.0.1 localhost is modified to 127.0.0.1 (your domain name), as I am here to modify to 127.0.0.1 www.testdelauth.com, Then each intranet user in the visit to my site must be in the Hosts file to add a line, the format is your IP address www.testdelauth.com The purpose of this is to intranet users can know in DNS resolution www.testdelauth.com This domain name is your IP, and then you can access the Web server you do. So why the Web server to the Hosts file modified, because in the application for AppID, if it is to use delegated authentication, in addition to fill in ' ReturnUrl ', you must also fill in domain name, And this domain name cannot be an IP address, it cannot be a localhost, and it cannot be a simple machine name (a string), and it's required to write ' Full qualified domain name ' J. I think this is called support Intranet, there may be a better way, this is the case.
"Summary" In fact delegated authentication process is also webserver no and live ID server, live consent service needs direct access, but there is a domain name requirements cause relative trouble.