Hello,
I am trying to do SSO across a Windows 8 App and an ASP.NET page, but I would like to do it in a cleaner way than what I see in this sample.
TIn the sample, when the Windows 8 App wants to tell the site "look, do that for the connected user - the one using this Microsoft account", it sends an authorisation token. Then, with a call to LiveSDK, the site gets the userId.
The problem with this exaple is that it is not ready for production use. The ASP.NET User is not necessarily up to date and ther [token to User] mapping is done inside the Controller Action, not at a global level.
I would like this to be a bit more consistent and integrated: whenever there's a request to the site, containing this token, try to authenticate the user. I think I understood what I need to do, but I still have questions:
1) The request send by the Metro app should send an Authorisation Header with Bearer scheme and a token.
2) On the server, I should add a new Filter in the WebApiConfig (is it necessary?).
This filter should use LiveAuthClient.GetUserId (isn't there any alternative?) to get a UserId from the token, and based on that UserId I can create a new user (if not existing) or just sign in the user.
(My site is mostly WebAPI SPA, but the requests I mostly want to add security on are towardsSignalR hubs).
I have activated Microsoft Account (using the same app clientId as the Windows store app) but when:
1) I open the site and connect to it with my Microsoft Account
2) then call an authorized resource from my Windows 8 App (either a normal GET call or an attempt to start a SignalR Hub with the Authorize attribute)
> I get redirected to the Login page. There's no SSO, despite the fact that I'm connected in both places with the same microsoft account.
I can alway allow anonymous calls to my Hub and use LiveSDK to get the UserId whenever there's a call to the GameHub, but I am looking for better alternatives.