Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save chrismear/8574 to your computer and use it in GitHub Desktop.
Save chrismear/8574 to your computer and use it in GitHub Desktop.
Send user to:
http://consent.live.com/Delegation.aspx?RU=[return URL]&ps=Contacts.Invite&pl=[privacy URL]
where [return URL] is your post-back URL, and [privacy URL] is the URL of your privacy policy.
When the user has authenticated and granted your application permission, you receive a post-back which includes the parameter 'ConsentToken'.
Un-URL-encode the ConsentToken parameter to yield a querystring.
Extract the 'eact' parameter from the querystring.
Un-URL-encode that parameter.
Base-64 decode that.
Store the first 16 bytes as the 'initialisation vector'. The remaining data is the encrypted message.
Generate your encryption key by prepending "ENCRYPTION" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that.
Decrypt the encrypted message using the AES-128-CBC cipher, using the encryption key and initialisation vector generated above.
The decrypted message consists of a querystring with a final parameter 'sig'. Remove the 'sig' parameter from the querystring and store it. The remaining querystring is your final data, containing the tokens etc. that you'll need to access the Contacts service.
To validate the data:
Un-URL-encode the 'sig' parameter, and then Base-64 decode the result to give you the actual binary signature.
Generate a signature key by prepending "SIGNATURE" to your application's secret key, getting the SHA-256 digest of the resulting string, and taking the first 16 bytes of that digest.
Generate an HMAC signature of the final data using the SHA-256 digest and the signature key generate above.
If that signature matches the signature decoded from the 'sig' parameter, the data is valid.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment