Class: WindowsLiveLogin

Inherits:

Object

• Object
• WindowsLiveLogin

Defined in:

lib/windowslivelogin.rb,
lib/windowslivelogin.rb,
lib/windowslivelogin.rb,
lib/windowslivelogin.rb,
lib/windowslivelogin.rb,
lib/windowslivelogin.rb

Overview

Helper methods.

Defined Under Namespace

Classes: ConsentToken, User

Instance Attribute Summary

• #baseurl ⇒ Object

  Sets or gets the base URL to use for the Windows Live Login server.

• #consenturl ⇒ Object

  Sets or gets the Consent Base URL to use for the Windows Live Consent server.

• #force_delauth_nonprovisioned ⇒ Object

  Sets a flag that indicates whether Delegated Authentication is non-provisioned (i.e. does not use an application ID or secret key).

• #oldsecretexpiry ⇒ Object

  Gets the old secret key expiry time.

• #secureurl ⇒ Object

  Sets or gets the secure (HTTPS) URL to use for the Windows Live Login server.

• #securityalgorithm ⇒ Object

  Sets or gets the version of the security algorithm being used.

Class Method Summary

• .initFromXml(settingsFile) ⇒ Object

  Initialize the WindowsLiveLogin module from a settings file.

Instance Method Summary

• #appid ⇒ Object

  Returns the application ID.

• #appid=(appid) ⇒ Object

  Sets the application ID.

• #debug(error) ⇒ Object

  Stub implementation for logging errors.

• #decodeAndValidateToken(token, cryptkey = @cryptkey, signkey = @signkey, internal_allow_recursion = true) ⇒ Object

  Decodes and validates the token.

• #decodeToken(token, cryptkey = @cryptkey) ⇒ Object

  Decodes the given token string; returns undef on failure.

• #derive(secret, prefix) ⇒ Object

  Derives the key, given the secret key and prefix as described in the Web Authentication SDK documentation.

• #e64(s) ⇒ Object

  Base64-encodes and URL-escapes a string.

• #fatal(error) ⇒ Object

  Stub implementation for handling a fatal error.

• #fetch(url) ⇒ Object

  Fetches the contents given a URL.

• #getAppLoginUrl(siteid = nil, ip = nil, js = nil) ⇒ Object

  Returns the URL that is required to retrieve the application security token.

• #getAppRetCode ⇒ Object

  Returns a string that can be passed to the getTrustedParams function as the ‘retcode’ parameter.

• #getAppSecurityToken(siteid = nil, ip = nil) ⇒ Object

  Retrieves the application security token for application verification from the application sign-in URL.

• #getAppVerifier(ip = nil) ⇒ Object

  Generates an application verifier token.

• #getClearCookieResponse ⇒ Object

  Returns an appropriate content type and body response that the application handler can return to signify a successful sign-out from the application.

• #getConsentUrl(offers, context = nil, ru = nil, market = nil) ⇒ Object

  Returns the consent URL to use for Delegated Authentication for the given comma-delimited list of offers.

• #getLoginUrl(context = nil, market = nil) ⇒ Object

  Returns the sign-in URL to use for the Windows Live Login server.

• #getLogoutUrl(market = nil) ⇒ Object

  Returns the sign-out URL to use for the Windows Live Login server.

• #getManageConsentUrl(market = nil) ⇒ Object

  Returns the URL for the consent-management user interface.

• #getRefreshConsentTokenUrl(offers, refreshtoken, ru) ⇒ Object

  Returns the URL to use to download a new consent token, given the offers and refresh token.

• #getTrustedLoginUrl ⇒ Object

  Returns the trusted sign-in URL to use for the Windows Live Login server.

• #getTrustedLogoutUrl ⇒ Object

  Returns the trusted sign-out URL to use for the Windows Live Login server.

• #getTrustedParams(user, retcode = nil) ⇒ Object

  Returns a table of key-value pairs that must be posted to the sign-in URL for trusted sign-in.

• #getTrustedToken(user) ⇒ Object

  Returns the trusted sign-in token in the format that is needed by a control doing trusted sign-in.

• #initialize(appid = nil, secret = nil, securityalgorithm = nil, force_delauth_nonprovisioned = nil, policyurl = nil, returnurl = nil) ⇒ WindowsLiveLogin constructor

  Initialize the WindowsLiveLogin module with the application ID, secret key, and security algorithm.

• #oldsecret=(secret) ⇒ Object

  Sets your old secret key.

• #parse(input) ⇒ Object

  Parses query string and return a table String=>String.

• #parseSettings(settingsFile) ⇒ Object

  Function to parse the settings file.

• #policyurl ⇒ Object

  Gets the privacy policy URL for your site.

• #policyurl=(policyurl) ⇒ Object

  Sets the privacy policy URL, to which the Windows Live ID consent service redirects users to view the privacy policy of your Web site for Delegated Authentication.

• #processConsent(query) ⇒ Object

  Processes the POST response from the Delegated Authentication service after a user has granted consent.

• #processConsentToken(token, context = nil) ⇒ Object

  Processes the consent token string that is returned in the POST response by the Delegated Authentication service after a user has granted consent.

• #processLogin(query) ⇒ Object

  Processes the sign-in response from the Windows Live sign-in server.

• #processToken(token, context = nil) ⇒ Object

  Decodes and validates a Web Authentication token.

• #refreshConsentToken(consenttoken, ru = nil) ⇒ Object

  Attempts to obtain a new, refreshed token and return it.

• #refreshConsentToken2(offers_string, refreshtoken, ru = nil) ⇒ Object

  Helper function to obtain a new, refreshed token and return it.

• #returnurl ⇒ Object

  Returns the return URL of your site.

• #returnurl=(returnurl) ⇒ Object

  Sets the return URL–the URL on your site to which the consent service redirects users (along with the action, consent token, and application context) after they have successfully provided consent information for Delegated Authentication.

• #secret=(secret) ⇒ Object

  Sets your secret key.

• #setDebug(flag) ⇒ Object

  Stub implementation for logging errors.

• #signToken(token, signkey = @signkey) ⇒ Object

  Creates a signature for the given string by using the signature key.

• #timestamp ⇒ Object

  Generates a time stamp suitable for the application verifier token.

• #u64(s) ⇒ Object

  URL-unescapes and Base64-decodes a string.

• #validateToken(token, signkey = @signkey) ⇒ Object

  Extracts the signature from the token and validates it.

Constructor Details

#initialize(appid = nil, secret = nil, securityalgorithm = nil, force_delauth_nonprovisioned = nil, policyurl = nil, returnurl = nil) ⇒ WindowsLiveLogin

Initialize the WindowsLiveLogin module with the application ID, secret key, and security algorithm.

We recommend that you employ strong measures to protect the secret key. The secret key should never be exposed to the Web or other users.

Be aware that if you do not supply these settings at initialization time, you may need to set the corresponding properties manually.

For Delegated Authentication, you may optionally specify the privacy policy URL and return URL. If you do not specify these values here, the default values that you specified when you registered your application will be used.

The ‘force_delauth_nonprovisioned’ flag also indicates whether your application is registered for Delegated Authentication (that is, whether it uses an application ID and secret key). We recommend that your Delegated Authentication application always be registered for enhanced security and functionality.

# File 'lib/windowslivelogin.rb', line 76

def initialize(appid=nil, secret=nil, securityalgorithm=nil,
               force_delauth_nonprovisioned=nil,
               policyurl=nil, returnurl=nil)
  self.force_delauth_nonprovisioned = force_delauth_nonprovisioned
  self.appid = appid if appid
  self.secret = secret if secret
  self.securityalgorithm = securityalgorithm if securityalgorithm
  self.policyurl = policyurl if policyurl
  self.returnurl = returnurl if returnurl
end

Instance Attribute Details

#baseurl ⇒ Object

Sets or gets the base URL to use for the Windows Live Login server. You should not have to change this property. Furthermore, we recommend that you use the Sign In control instead of the URL methods provided here.

# File 'lib/windowslivelogin.rb', line 288

def baseurl
  @baseurl
end

#consenturl ⇒ Object

Sets or gets the Consent Base URL to use for the Windows Live Consent server. You should not have to use or change this property directly.

# File 'lib/windowslivelogin.rb', line 316

def consenturl
  @consenturl
end

#force_delauth_nonprovisioned ⇒ Object

Sets a flag that indicates whether Delegated Authentication is non-provisioned (i.e. does not use an application ID or secret key).

# File 'lib/windowslivelogin.rb', line 232

def force_delauth_nonprovisioned
  @force_delauth_nonprovisioned
end

#oldsecretexpiry ⇒ Object

Gets the old secret key expiry time.

# File 'lib/windowslivelogin.rb', line 212

def oldsecretexpiry
  @oldsecretexpiry
end

#secureurl ⇒ Object

Sets or gets the secure (HTTPS) URL to use for the Windows Live Login server. You should not have to change this property.

# File 'lib/windowslivelogin.rb', line 302

def secureurl
  @secureurl
end

#securityalgorithm ⇒ Object

Sets or gets the version of the security algorithm being used.

# File 'lib/windowslivelogin.rb', line 217

def securityalgorithm
  @securityalgorithm
end

Class Method Details

.initFromXml(settingsFile) ⇒ Object

Initialize the WindowsLiveLogin module from a settings file.

‘settingsFile’ specifies the location of the XML settings file that contains the application ID, secret key, and security algorithm. The file is of the following format:

<windowslivelogin>

<appid>APPID</appid>
<secret>SECRET</secret>
<securityalgorithm>wsignin1.0</securityalgorithm>

</windowslivelogin>

In a Delegated Authentication scenario, you may also specify ‘returnurl’ and ‘policyurl’ in the settings file, as shown in the Delegated Authentication samples.

We recommend that you store the WindowsLiveLogin settings file in an area on your server that cannot be accessed through the Internet. This file contains important confidential information.

# File 'lib/windowslivelogin.rb', line 108

def self.initFromXml(settingsFile)
  o = self.new
  settings = o.parseSettings(settingsFile)

  o.setDebug(settings['debug'] == 'true')
  o.force_delauth_nonprovisioned =
    (settings['force_delauth_nonprovisioned'] == 'true')

  o.appid = settings['appid']
  o.secret = settings['secret']
  o.oldsecret = settings['oldsecret']
  o.oldsecretexpiry = settings['oldsecretexpiry']
  o.securityalgorithm = settings['securityalgorithm']
  o.policyurl = settings['policyurl']
  o.returnurl = settings['returnurl']
  o.baseurl = settings['baseurl']
  o.secureurl = settings['secureurl']
  o.consenturl = settings['consenturl']
  o
end

Instance Method Details

#appid ⇒ Object

Returns the application ID.

# File 'lib/windowslivelogin.rb', line 147

def appid
  if (@appid.nil? or @appid.empty?)
    fatal("Error: appid: App ID was not set. Aborting.")
  end
  @appid
end

#appid=(appid) ⇒ Object

Sets the application ID. Use this method if you did not specify an application ID at initialization.

# File 'lib/windowslivelogin.rb', line 133

def appid=(appid)
  if (appid.nil? or appid.empty?)
    return if force_delauth_nonprovisioned
    fatal("Error: appid: Null application ID.")
  end
  if (not appid =~ /^\w+$/)
    fatal("Error: appid: Application ID must be alpha-numeric: " + appid)
  end
  @appid = appid
end

#debug(error) ⇒ Object

Stub implementation for logging errors. By default, this function does nothing if the debug flag has not been set with setDebug. Otherwise, it tries to log the error message.

# File 'lib/windowslivelogin.rb', line 38

def debug(error)
  return unless @debug
  return if error.nil? or error.empty?
  warn("Windows Live ID Authentication SDK #{error}")
  nil
end

#decodeAndValidateToken(token, cryptkey = @cryptkey, signkey = @signkey, internal_allow_recursion = true) ⇒ Object

Decodes and validates the token.

# File 'lib/windowslivelogin.rb', line 807

def decodeAndValidateToken(token, cryptkey=@cryptkey, signkey=@signkey,
                           internal_allow_recursion=true)
  haveoldsecret = false
  if (oldsecretexpiry and (Time.now.to_i < oldsecretexpiry.to_i))
    haveoldsecret = true if (@oldcryptkey and @oldsignkey)
  end
  haveoldsecret = (haveoldsecret and internal_allow_recursion)

  stoken = decodeToken(token, cryptkey)
  stoken = validateToken(stoken, signkey) if stoken
  if (stoken.nil? and haveoldsecret)
    debug("Warning: Failed to validate token with current secret, attempting old secret.")
    stoken = decodeAndValidateToken(token, @oldcryptkey, @oldsignkey, false)
  end
  stoken
end

#decodeToken(token, cryptkey = @cryptkey) ⇒ Object

Decodes the given token string; returns undef on failure.

First, the string is URL-unescaped and base64 decoded. Second, the IV is extracted from the first 16 bytes of the string. Finally, the string is decrypted using the encryption key.

# File 'lib/windowslivelogin.rb', line 831

def decodeToken(token, cryptkey=@cryptkey)
  if (cryptkey.nil? or cryptkey.empty?)
    fatal("Error: decodeToken: Secret key was not set. Aborting.")
  end
  token =  u64(token)
  if (token.nil? or (token.size <= 16) or !(token.size % 16).zero?)
    debug("Error: decodeToken: Attempted to decode invalid token.")
    return
  end
  iv = token[0..15]
  crypted = token[16..-1]
  begin
    aes128cbc = OpenSSL::Cipher::AES128.new("CBC")
    aes128cbc.decrypt
    aes128cbc.iv = iv
    aes128cbc.key = cryptkey
    decrypted = aes128cbc.update(crypted) + aes128cbc.final
  rescue Exception => e
    debug("Error: decodeToken: Decryption failed: #{token}, #{e}")
    return
  end
  decrypted
end

#derive(secret, prefix) ⇒ Object

Derives the key, given the secret key and prefix as described in the Web Authentication SDK documentation.

# File 'lib/windowslivelogin.rb', line 1067

def derive(secret, prefix)
  begin
    fatal("Nil/empty secret.") if (secret.nil? or secret.empty?)
    key = prefix + secret
    key = OpenSSL::Digest::SHA256.digest(key)
    return key[0..15]
  rescue Exception => e
    debug("Error: derive: #{e}")
    return
  end
end

#e64(s) ⇒ Object

Base64-encodes and URL-escapes a string.

# File 'lib/windowslivelogin.rb', line 1120

def e64(s)
  return unless s
  CGI.escape Base64.encode64(s)
end

#fatal(error) ⇒ Object

Stub implementation for handling a fatal error.

# File 'lib/windowslivelogin.rb', line 48

def fatal(error)
  debug(error)
  raise(error)
end

#fetch(url) ⇒ Object

Fetches the contents given a URL.

# File 'lib/windowslivelogin.rb', line 1136

def fetch(url)
    url = URI.parse url
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = (url.scheme == "https")
    http.request_get url.request_uri
end

#getAppLoginUrl(siteid = nil, ip = nil, js = nil) ⇒ Object

Returns the URL that is required to retrieve the application security token.

By default, the application security token is generated for the Windows Live site; a specific Site ID can optionally be specified in ‘siteid’. The IP address can also optionally be included in ‘ip’.

If ‘js’ is nil, a JavaScript Output Notation (JSON) response is returned in the following format:

“token”:“<value>”

Otherwise, a JavaScript response is returned. It is assumed that WLIDResultCallback is a custom function implemented to handle the token value:

WLIDResultCallback(“<tokenvalue>”);

# File 'lib/windowslivelogin.rb', line 928

def getAppLoginUrl(siteid=nil, ip=nil, js=nil)
  url = secureurl + "wapplogin.srf?app=#{getAppVerifier(ip)}"
  url += "&alg=#{securityalgorithm}"
  url += "&id=#{siteid}" if siteid
  url += "&js=1" if js
  url
end

#getAppRetCode ⇒ Object

Returns a string that can be passed to the getTrustedParams function as the ‘retcode’ parameter. If this is specified as the ‘retcode’, the application will be used as return URL after it finishes trusted sign-in.

# File 'lib/windowslivelogin.rb', line 975

def getAppRetCode
  "appid=#{appid}"
end

#getAppSecurityToken(siteid = nil, ip = nil) ⇒ Object

Retrieves the application security token for application verification from the application sign-in URL.

By default, the application security token will be generated for the Windows Live site; a specific Site ID can optionally be specified in ‘siteid’. The IP address can also optionally be included in ‘ip’.

Implementation note: The application security token is downloaded from the application sign-in URL in JSON format:

“token”:“<value>”

Therefore we must extract <value> from the string and return it as seen here.

# File 'lib/windowslivelogin.rb', line 953

def getAppSecurityToken(siteid=nil, ip=nil)
  url = getAppLoginUrl(siteid, ip)
  begin
    ret = fetch url
    ret.value # raises exception if fetch failed
    body = ret.body
    body.scan(/\{"token":"(.*)"\}/){|match|
      return match
    }
    debug("Error: getAppSecurityToken: Failed to extract token: #{body}")
  rescue Exception => e
    debug("Error: getAppSecurityToken: Failed to get token: #{e}")
  end
  return
end

#getAppVerifier(ip = nil) ⇒ Object

Generates an application verifier token. An IP address can optionally be included in the token.

# File 'lib/windowslivelogin.rb', line 901

def getAppVerifier(ip=nil)
  token = "appid=#{appid}&ts=#{timestamp}"
  token += "&ip=#{ip}" if ip
  token += "&sig=#{e64(signToken(token))}"
  CGI.escape token
end

#getClearCookieResponse ⇒ Object

Returns an appropriate content type and body response that the application handler can return to signify a successful sign-out from the application.

When a user signs out of Windows Live or a Windows Live application, a best-effort attempt is made at signing the user out from all other Windows Live applications the user might be signed in to. This is done by calling the handler page for each application with ‘action’ set to ‘clearcookie’ in the query string. The application handler is then responsible for clearing any cookies or data associated with the sign-in. After successfully signing the user out, the handler should return a GIF (any GIF) image as response to the ‘action=clearcookie’ query.

# File 'lib/windowslivelogin.rb', line 494

def getClearCookieResponse()
  type = "image/gif"
  content = "R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7"
  content = Base64.decode64(content)
  return type, content
end

#getConsentUrl(offers, context = nil, ru = nil, market = nil) ⇒ Object

Returns the consent URL to use for Delegated Authentication for the given comma-delimited list of offers.

If you specify it, ‘context’ will be returned as-is in the consent response for site-specific use.

The registered/configured return URL can also be overridden by specifying ‘ru’ here.

You can change the language in which the consent page is displayed by specifying a culture ID (For example, ‘fr-fr’ or ‘en-us’) in the ‘market’ parameter.

# File 'lib/windowslivelogin.rb', line 521

def getConsentUrl(offers, context=nil, ru=nil, market=nil)
  if (offers.nil? or offers.empty?)
    fatal("Error: getConsentUrl: Invalid offers list.")
  end
  url = consenturl + "Delegation.aspx?ps=#{CGI.escape(offers)}"
  url += "&appctx=#{CGI.escape(context)}" if context
  ru = returnurl if (ru.nil? or ru.empty?)
  url += "&ru=#{CGI.escape(ru)}" if ru
  pu = policyurl
  url += "&pl=#{CGI.escape(pu)}" if pu
  url += "&mkt=#{CGI.escape(market)}" if market
  url += "&app=#{getAppVerifier()}" unless force_delauth_nonprovisioned
  url
end

#getLoginUrl(context = nil, market = nil) ⇒ Object

Returns the sign-in URL to use for the Windows Live Login server. We recommend that you use the Sign In control instead.

If you specify it, ‘context’ will be returned as-is in the sign-in response for site-specific use.

# File 'lib/windowslivelogin.rb', line 338

def getLoginUrl(context=nil, market=nil)
  url = baseurl + "wlogin.srf?appid=#{appid}"
  url += "&alg=#{securityalgorithm}"
  url += "&appctx=#{CGI.escape(context)}" if context
  url += "&mkt=#{CGI.escape(market)}" if market
  url
end

#getLogoutUrl(market = nil) ⇒ Object

Returns the sign-out URL to use for the Windows Live Login server. We recommend that you use the Sign In control instead.

# File 'lib/windowslivelogin.rb', line 350

def getLogoutUrl(market=nil)
  url = baseurl + "logout.srf?appid=#{appid}"
  url += "&mkt=#{CGI.escape(market)}" if market
  url
end

#getManageConsentUrl(market = nil) ⇒ Object

Returns the URL for the consent-management user interface. You can change the language in which the consent page is displayed by specifying a culture ID (For example, ‘fr-fr’ or ‘en-us’) in the ‘market’ parameter.

# File 'lib/windowslivelogin.rb', line 563

def getManageConsentUrl(market=nil)
  url = consenturl + "ManageConsent.aspx"
  url += "?mkt=#{CGI.escape(market)}" if market
  url
end

#getRefreshConsentTokenUrl(offers, refreshtoken, ru) ⇒ Object

Returns the URL to use to download a new consent token, given the offers and refresh token. The registered/configured return URL can also be overridden by specifying ‘ru’ here.

# File 'lib/windowslivelogin.rb', line 542

def getRefreshConsentTokenUrl(offers, refreshtoken, ru)
  if (offers.nil? or offers.empty?)
    fatal("Error: getRefreshConsentTokenUrl: Invalid offers list.")
  end
  if (refreshtoken.nil? or refreshtoken.empty?)
    fatal("Error: getRefreshConsentTokenUrl: Invalid refresh token.")
  end
  url = consenturl + "RefreshToken.aspx?ps=#{CGI.escape(offers)}"
  url += "&reft=#{refreshtoken}"
  ru = returnurl if (ru.nil? or ru.empty?)
  url += "&ru=#{CGI.escape(ru)}" if ru
  url += "&app=#{getAppVerifier()}" unless force_delauth_nonprovisioned
  url
end

#getTrustedLoginUrl ⇒ Object

Returns the trusted sign-in URL to use for the Windows Live Login server.

# File 'lib/windowslivelogin.rb', line 1027

def getTrustedLoginUrl
  secureurl + "wlogin.srf"
end

#getTrustedLogoutUrl ⇒ Object

Returns the trusted sign-out URL to use for the Windows Live Login server.

# File 'lib/windowslivelogin.rb', line 1035

def getTrustedLogoutUrl
  secureurl + "logout.srf?appid=#{appid}"
end

#getTrustedParams(user, retcode = nil) ⇒ Object

Returns a table of key-value pairs that must be posted to the sign-in URL for trusted sign-in. Use HTTP POST to do this. Be aware that the values in the table are neither URL nor HTML escaped and may have to be escaped if you are inserting them in code such as an HTML form.

The user to be trusted on the local site is passed in as string ‘user’.

Optionally, ‘retcode’ specifies the resource to which successful sign-in is redirected, such as Windows Live Mail, and is typically a string in the format ‘id=2000’. If you pass in the value from getAppRetCode instead, sign-in will be redirected to the application. Otherwise, an HTTP 200 response is returned.

# File 'lib/windowslivelogin.rb', line 995

def getTrustedParams(user, retcode=nil)
  token = getTrustedToken(user)
  return unless token
  token = %{<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestedSecurityToken><wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">#{token}</wsse:BinarySecurityToken></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"><wsa:Address>uri:WindowsLiveID</wsa:Address></wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse>}
  params = {}
  params['wa'] = securityalgorithm
  params['wresult'] = token
  params['wctx'] = retcode if retcode
  params
end

#getTrustedToken(user) ⇒ Object

Returns the trusted sign-in token in the format that is needed by a control doing trusted sign-in.

The user to be trusted on the local site is passed in as string ‘user’.

# File 'lib/windowslivelogin.rb', line 1013

def getTrustedToken(user)
  if user.nil? or user.empty?
    debug('Error: getTrustedToken: Null user specified.')
    return
  end
  token = "appid=#{appid}&uid=#{CGI.escape(user)}&ts=#{timestamp}"
  token += "&sig=#{e64(signToken(token))}"
  CGI.escape token
end

#oldsecret=(secret) ⇒ Object

Sets your old secret key.

Use this property to set your old secret key if you are in the process of transitioning to a new secret key. You may need this property because the Windows Live ID servers can take up to 24 hours to propagate a new secret key after you have updated your application settings.

If an old secret key is specified here and has not expired (as determined by the oldsecretexpiry setting), it will be used as a fallback if token decryption fails with the new secret key.

# File 'lib/windowslivelogin.rb', line 184

def oldsecret=(secret)
  return if (secret.nil? or secret.empty?)
  if (secret.size < 16)
    fatal("Error: oldsecret=: Secret must be at least 16 characters.")
  end
  @oldsignkey = derive(secret, "SIGNATURE")
  @oldcryptkey = derive(secret, "ENCRYPTION")
end

#parse(input) ⇒ Object

Parses query string and return a table String=>String

If a table is passed in from CGI.params, we convert it from String=>[] to String=>String. I believe Rails uses symbols instead of strings in general, so we convert from symbols to strings here also.

# File 'lib/windowslivelogin.rb', line 1088

def parse(input)
  if (input.nil? or input.empty?)
    debug("Error: parse: Nil/empty input.")
    return
  end

  pairs = {}
  if (input.class == String)
    input = input.split('&')
    input.each{|pair|
      k, v = pair.split('=')
      pairs[k] = v
    }
  else
    input.each{|k, v|
      v = v[0] if (v.class == Array)
      pairs[k.to_s] = v.to_s
    }
  end
  return pairs
end

#parseSettings(settingsFile) ⇒ Object

Function to parse the settings file.

# File 'lib/windowslivelogin.rb', line 1048

def parseSettings(settingsFile)
  settings = {}
  begin
    file = File.new(settingsFile)
    doc = REXML::Document.new file
    root = doc.root
    root.each_element{|e|
      settings[e.name] = e.text
    }
  rescue Exception => e
    fatal("Error: parseSettings: Error while reading #{settingsFile}: #{e}")
  end
  return settings
end

#policyurl ⇒ Object

Gets the privacy policy URL for your site.

# File 'lib/windowslivelogin.rb', line 249

def policyurl
  if (@policyurl.nil? or @policyurl.empty?)
    debug("Warning: In the initial release of Del Auth, a Policy URL must be configured in the SDK for both provisioned and non-provisioned scenarios.")
    raise("Error: policyurl: Policy URL must be set in a Del Auth non-provisioned scenario. Aborting.") if force_delauth_nonprovisioned
  end
  @policyurl
end

#policyurl=(policyurl) ⇒ Object

Sets the privacy policy URL, to which the Windows Live ID consent service redirects users to view the privacy policy of your Web site for Delegated Authentication.

# File 'lib/windowslivelogin.rb', line 239

def policyurl=(policyurl)
  if ((policyurl.nil? or policyurl.empty?) and force_delauth_nonprovisioned)
    fatal("Error: policyurl=: Invalid policy URL specified.")
  end
  @policyurl = policyurl
end

#processConsent(query) ⇒ Object

Processes the POST response from the Delegated Authentication service after a user has granted consent. The processConsent function extracts the consent token string and returns the result of invoking the processConsentToken method.

# File 'lib/windowslivelogin.rb', line 702

def processConsent(query)
  query = parse query
  unless query
    debug("Error: processConsent: Failed to parse query.")
    return
  end
  action = query['action']
  unless action == 'delauth'
    debug("Warning: processConsent: query action ignored: #{action}.")
    return
  end
  responsecode = query['ResponseCode']
  unless responsecode == 'RequestApproved'
    debug("Error: processConsent: Consent was not successfully granted: #{responsecode}")
    return
  end
  token = query['ConsentToken']
  context = CGI.unescape(query['appctx']) if query['appctx']
  processConsentToken(token, context)
end

#processConsentToken(token, context = nil) ⇒ Object

Processes the consent token string that is returned in the POST response by the Delegated Authentication service after a user has granted consent.

# File 'lib/windowslivelogin.rb', line 728

def processConsentToken(token, context=nil)
  if token.nil? or token.empty?
    debug("Error: processConsentToken: Null token.")
    return
  end
  decodedtoken = token
  parsedtoken = parse(CGI.unescape(decodedtoken))
  unless parsedtoken
    debug("Error: processConsentToken: Failed to parse token: #{token}")
    return
  end
  eact = parsedtoken['eact']
  if eact
    decodedtoken = decodeAndValidateToken eact
    unless decodedtoken
      debug("Error: processConsentToken: Failed to decode/validate token: #{token}")
      return
    end
    parsedtoken = parse(decodedtoken)
    decodedtoken = CGI.escape(decodedtoken)
  end
  begin
    consenttoken = ConsentToken.new(self,
                                    parsedtoken['delt'],
                                    parsedtoken['reft'],
                                    parsedtoken['skey'],
                                    parsedtoken['exp'],
                                    parsedtoken['offer'],
                                    parsedtoken['lid'],
                                    context, decodedtoken, token)
    return consenttoken
  rescue Exception => e
    debug("Error: processConsentToken: Contents of token considered invalid: #{e}")
    return
  end
end

#processLogin(query) ⇒ Object

Processes the sign-in response from the Windows Live sign-in server.

‘query’ contains the preprocessed POST table, such as that returned by CGI.params or Rails. (The unprocessed POST string could also be used here but we do not recommend it).

This method returns a User object on successful sign-in; otherwise it returns nil.

# File 'lib/windowslivelogin.rb', line 432

def processLogin(query)
  query = parse query
  unless query
    debug("Error: processLogin: Failed to parse query.")
    return
  end
  action = query['action']
  unless action == 'login'
    debug("Warning: processLogin: query action ignored: #{action}.")
    return
  end
  token = query['stoken']
  context = CGI.unescape(query['appctx']) if query['appctx']
  processToken(token, context)
end

#processToken(token, context = nil) ⇒ Object

Decodes and validates a Web Authentication token. Returns a User object on success. If a context is passed in, it will be returned as the context field in the User object.

# File 'lib/windowslivelogin.rb', line 453

def processToken(token, context=nil)
  if token.nil? or token.empty?
    debug("Error: processToken: Null/empty token.")
    return
  end
  stoken = decodeAndValidateToken token
  stoken = parse stoken
  unless stoken
    debug("Error: processToken: Failed to decode/validate token: #{token}")
    return
  end
  sappid = stoken['appid']
  unless sappid == appid
    debug("Error: processToken: Application ID in token did not match ours: #{sappid}, #{appid}")
    return
  end
  begin
    user = User.new(stoken['ts'], stoken['uid'], stoken['flags'],
                    context, token)
    return user
  rescue Exception => e
    debug("Error: processToken: Contents of token considered invalid: #{e}")
    return
  end
end

#refreshConsentToken(consenttoken, ru = nil) ⇒ Object

Attempts to obtain a new, refreshed token and return it. The original token is not modified.

# File 'lib/windowslivelogin.rb', line 769

def refreshConsentToken(consenttoken, ru=nil)
  if consenttoken.nil?
    debug("Error: refreshConsentToken: Null consent token.")
    return
  end
  refreshConsentToken2(consenttoken.offers_string, consenttoken.refreshtoken, ru)
end

#refreshConsentToken2(offers_string, refreshtoken, ru = nil) ⇒ Object

Helper function to obtain a new, refreshed token and return it. The original token is not modified.

# File 'lib/windowslivelogin.rb', line 781

def refreshConsentToken2(offers_string, refreshtoken, ru=nil)
  url = nil
  begin
    url = getRefreshConsentTokenUrl(offers_string, refreshtoken, ru)
    ret = fetch url
    ret.value # raises exception if fetch failed
    body = ret.body
    body.scan(/\{"ConsentToken":"(.*)"\}/){|match|
    return processConsentToken("#{match}")
    }
    debug("Error: refreshConsentToken2: Failed to extract token: #{body}")
  rescue Exception => e
    debug("Error: Failed to refresh consent token: #{e}")
  end
  return
end

#returnurl ⇒ Object

Returns the return URL of your site.

# File 'lib/windowslivelogin.rb', line 275

def returnurl
  if ((@returnurl.nil? or @returnurl.empty?) and force_delauth_nonprovisioned)
    fatal("Error: returnurl: Return URL must be set in a Del Auth non-provisioned scenario. Aborting.")
  end
  @returnurl
end

#returnurl=(returnurl) ⇒ Object

Sets the return URL–the URL on your site to which the consent service redirects users (along with the action, consent token, and application context) after they have successfully provided consent information for Delegated Authentication. This value will override the return URL specified during registration.

# File 'lib/windowslivelogin.rb', line 264

def returnurl=(returnurl)
  if ((returnurl.nil? or returnurl.empty?) and force_delauth_nonprovisioned)
    fatal("Error: returnurl=: Invalid return URL specified.")
  end
  @returnurl = returnurl
end

#secret=(secret) ⇒ Object

Sets your secret key. Use this method if you did not specify a secret key at initialization.

# File 'lib/windowslivelogin.rb', line 158

def secret=(secret)
  if (secret.nil? or secret.empty?)
    return if force_delauth_nonprovisioned
    fatal("Error: secret=: Secret must be non-null.")
  end
  if (secret.size < 16)
    fatal("Error: secret=: Secret must be at least 16 characters.")
  end
  @signkey = derive(secret, "SIGNATURE")
  @cryptkey = derive(secret, "ENCRYPTION")
end

#setDebug(flag) ⇒ Object

Stub implementation for logging errors. If you want to enable debugging output using the default mechanism, specify true. By default, debug information will be printed to the standard error output and should be visible in the web server logs.

# File 'lib/windowslivelogin.rb', line 29

def setDebug(flag)
  @debug = flag
end

#signToken(token, signkey = @signkey) ⇒ Object

Creates a signature for the given string by using the signature key.

# File 'lib/windowslivelogin.rb', line 859

def signToken(token, signkey=@signkey)
  if (signkey.nil? or signkey.empty?)
    fatal("Error: signToken: Secret key was not set. Aborting.")
  end
  begin
    digest = OpenSSL::Digest::SHA256.new
    return OpenSSL::HMAC.digest(digest, signkey, token)
  rescue Exception => e
    debug("Error: signToken: Signing failed: #{token}, #{e}")
    return
  end
end

#timestamp ⇒ Object

Generates a time stamp suitable for the application verifier token.

# File 'lib/windowslivelogin.rb', line 1113

def timestamp
  Time.now.to_i.to_s
end

#u64(s) ⇒ Object

URL-unescapes and Base64-decodes a string.

# File 'lib/windowslivelogin.rb', line 1128

def u64(s)
  return unless s
  Base64.decode64 CGI.unescape(s)
end

#validateToken(token, signkey = @signkey) ⇒ Object

Extracts the signature from the token and validates it.

# File 'lib/windowslivelogin.rb', line 875

def validateToken(token, signkey=@signkey)
  if (token.nil? or token.empty?)
    debug("Error: validateToken: Null token.")
    return
  end
  body, sig = token.split("&sig=")
  if (body.nil? or sig.nil?)
    debug("Error: validateToken: Invalid token: #{token}")
    return
  end
  sig = u64(sig)
  return token if (sig == signToken(body, signkey))
  debug("Error: validateToken: Signature did not match.")
  return
end