chrismear/Notes on Windows Live Delegated Authentication for Contacts Invite service

## Notes on Windows Live Delegated Authentication for Contacts Invite service
Send user to:
  http://consent.live.com/Delegation.aspx?RU=[return URL]&ps=Contacts.Invite&pl=[privacy URL]
where [return URL] is your post-back URL, and [privacy URL] is the URL of your privacy policy.

When the user has authenticated and granted your application permission, you receive a post-back which includes the parameter 'ConsentToken'.

Un-URL-encode the ConsentToken parameter to yield a querystring.

Extract the 'eact' parameter from the querystring.

Un-URL-encode that parameter.

Base-64 decode that.

Store the first 16 bytes as the 'initialisation vector'. The remaining data is the encrypted message.

Generate your encryption key by prepending "ENCRYPTION" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that.

Decrypt the encrypted message using the AES-128-CBC cipher, using the encryption key and initialisation vector generated above.

The decrypted message consists of a querystring with a final parameter 'sig'. Remove the 'sig' parameter from the querystring and store it. The remaining querystring is your final data, containing the tokens etc. that you'll need to access the Contacts service.

To validate the data:

Un-URL-encode the 'sig' parameter, and then Base-64 decode the result to give you the actual binary signature.

Generate a signature key by prepending "SIGNATURE" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that digest.

Generate an HMAC signature of the final data using the SHA-256 digest and the signature key generate above.

If that signature matches the signature decoded from the 'sig' parameter, the data is valid.
	Send user to:
	http://consent.live.com/Delegation.aspx?RU=[return URL]&ps=Contacts.Invite&pl=[privacy URL]
	where [return URL] is your post-back URL, and [privacy URL] is the URL of your privacy policy.

	When the user has authenticated and granted your application permission, you receive a post-back which includes the parameter 'ConsentToken'.

	Un-URL-encode the ConsentToken parameter to yield a querystring.

	Extract the 'eact' parameter from the querystring.

	Un-URL-encode that parameter.

	Base-64 decode that.

	Store the first 16 bytes as the 'initialisation vector'. The remaining data is the encrypted message.

	Generate your encryption key by prepending "ENCRYPTION" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that.

	Decrypt the encrypted message using the AES-128-CBC cipher, using the encryption key and initialisation vector generated above.

	The decrypted message consists of a querystring with a final parameter 'sig'. Remove the 'sig' parameter from the querystring and store it. The remaining querystring is your final data, containing the tokens etc. that you'll need to access the Contacts service.

	To validate the data:

	Un-URL-encode the 'sig' parameter, and then Base-64 decode the result to give you the actual binary signature.

	Generate a signature key by prepending "SIGNATURE" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that digest.

	Generate an HMAC signature of the final data using the SHA-256 digest and the signature key generate above.

	If that signature matches the signature decoded from the 'sig' parameter, the data is valid.