Parse a Permission Response
The permission response provides information about the success or failure of a permission request. If the request was successful and the user granted permission, the response contains the RequestApproved response code, and the owner handle and domain authentication token required to access the user's data. If the request failed, the response code indicates the reason for failure.
What's in the Permission Response?
The response to a permission request is a form POST to the permission-processing URL that was supplied in the original request. The response contains several name/value string pairs, which include one or more of the following:
- Response Code
- DomainAuthenticationToken
- OwnerHandle
- Permissions
The Response Code value may be one of the following:
- RequestApproved: This is the normal response.
- RequestRejected: The user denied permission.
- BadPermissionRequestURL: The request was improperly constructed. Check your HTML, making sure that the
rlfield points to a valid HTTPS URL (or a HTTP URL if using NoSSL), and that only therl,pl, andpsoptions are included. - UnsupportedPermissions: You have asked for an incorrect permission. Check your HTML, making sure that the ps field is correct.
- OwnerWontLogin: The user did not log into Windows Live, so you don't have permission.
- InternalWindowsLiveError: There was a problem at the Windows Live Data server.
The raw permission response string appears as follows:
{ResponseCode=RequestApproved&DomainAuthenticationToken=A%3a20070910T175011Z%3a[RETURN URL]%3aBkwiXOeuz8heojzsiJq%2flqV9gcwxFaYXd9rc4seoIwt2XcnazAYxaKci7PEBr127FidkkdQKD0pQHCT%2fF7uJkhEjlVvEJ35%2fYwVZzH6yMSPGdHEWRZWziyJPKgotS%2bHVefLWwPrlu94JwrYyvLIkP%2bSaFzV6tiJH%2foZlEdZeprVle5%fN7hYCYxm7jaGsRZDZgNmnpeAce2URYSwbYIE0drrz%2b3N3gJgKZZERzZZTopFSPz55AxQT8HuQzZHe3KBYKlnPFwnC2igqIR5g1EAcJh7IY8tAAF2vNa%2fkIDb%2fYEKWC%2bPWSVGO%2fLNmmu8KFghX2mFBo9NLOaFf%2bZPEi2PdQ%3d%3d&OwnerHandle=user%40example.com}
Parsing a Permission Response
If the Response Code received is RequestApproved, then the processing page should get the values for OwnerHandle and DomainAuthenticationToken from the posted form. Most sites will want to store the OwnerHandle and DomainAuthenticationToken in a database, keyed to the user's site login credentials. Because these can be used to access personal information, they must be secured properly. A good rule of thumb is to keep the user's OwnerHandle and DomainAuthenticationToken as secure as you would the user's credit card or login information. If the Response Code is not RequestApproved, then the processing page should take appropriate action.
The following code example demonstrates a simple method for extracting response values.
protected void Page_Load(object sender, EventArgs e)
{
string domainAuthToken = null;
string ownerHandle = null;
string responseCode = null;
System.Collections.Specialized.NameValueCollection postedValues = Request.Form;
for (int i = 0; i < postedValues.AllKeys.Length; i++)
{
String nextKey = postedValues.AllKeys[i];
if ("DomainAuthenticationToken" == nextKey)
domainAuthToken = postedValues[i];
else if ("OwnerHandle" == nextKey)
ownerHandle = postedValues[i];
else if ("ResponseCode" == nextKey)
responseCode = postedValues[i];
}
if ("RequestApproved" == responseCode)
{
// The user has approved the request.
// Get information using ownerHandle and domainAuthToken.
}
else
{
// There was an error, display responseCode.
}
}