I have recently battled my way through creating an Owin-based web UI application using Microsoft Account (MSA, formerly Live Id) as my authentication provider. Here are a summary of my experience and the resulting code.
1. This blog has most of what you need, including how to set up your application to use MSA and how to use Fully Qualified Domain Name while running on localhost: http://www.asp.net/web-api/overview/security/external-authentication-services
2. Couple of things you will also need:
If you are using IIS Express and also have IIS installed, you will probably need to use a port different from 80 with your FQDN URL. If so, you will need to allow access to this port using:
netsh http add urlacl url=http://myfqdn.com:58611/ user=everyone
3. When setting up your account in the Microsoft Account Developer Center (), make sure that your redirect URLs include one that ends with ‘signin-microsoft’, e.g. http://owinsamples.com:51723/signin-microsoft. Otherwise, when you run the app and get edirected to MSA for authentication, it will display with an error screen with a message to ‘try later’. Actually, the url of the screen includes the correct error message (incorrect redirect; no number of ‘try later’s will fix the problem).
4. Finally, the code. My goal was to use Owin only, without MVC or WebAPI or other application level infrastructure.
public void Configuration(IAppBuilder app)
AuthenticationType = DefaultAuthenticationTypes.ExternalCookie, // == "ExternalCookie",
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
ClientId = "…….", // per your setup through http://go.microsoft.com/fwlink/?LinkID=144070.
ClientSecret = "……",
CallbackPath = new PathString("/signin-microsoft"), // default
Provider = new MicrosoftAccountAuthenticationProvider()
OnAuthenticated = (ctx) =>
//RedirectUri = "http://owinsamples.com:51723/" // seems to be ignored
return context.Response.WriteAsync("Hello " + ClaimsPrincipal.Current.Identity.Name + " from my OWIN App: " + DateTime.Now);
The first part is as per the blog I have already mentioned. I have added my own Provider to capture the authentication event and establish the principal thus received as my ClaimPrincipal:
ctx.OwinContext.Environment["server.User"] = new ClaimsPrincipal(ctx.Identity);
app.Run starts with checking whether a user has already been authenticated and if not redirects to MSA. The redirection happens because:
- AuthenticationMode is set to Active
- Response code is set to 401 (Unauthorized)
Owin infrastructure catches the 401 and converts it into a 302 (redirect) to MSA.
The string constant “Microsoft” is required though at this stage I can’t recall how I found that out.
You will obviously need to install a number of NuGet packages to make this run, in particular: Microsoft.Owin, Microsoft.Owin.Security, Microsoft ASP.NET Identity Owin, Microsoft.Owin.Host.SystemWeb (if using ASP.NET), Microsoft.Owin.Security.MicrosoftAccount.