Using Owin to authenticate with Microsoft Account (Live Id)

I have recently battled my way through creating an Owin-based web UI application using Microsoft Account (MSA, formerly Live Id) as my authentication provider. Here are a summary of my experience and the resulting code.

1. This blog has most of what you need, including how to set up your application to use MSA and how to use Fully Qualified Domain Name while running on localhost:

2. Couple of things you will also need:

If you are using IIS Express and also have IIS installed, you will probably need to use a port different from 80 with your FQDN URL. If so, you will need to allow access to this port using:

netsh http add urlacl url= user=everyone

3. When setting up your account in the Microsoft Account Developer Center (), make sure that your redirect URLs include one that ends with ‘signin-microsoft’, e.g. Otherwise, when you run the app and get edirected to MSA for authentication, it will display with an error screen with a message to ‘try later’. Actually, the url of the screen includes the correct error message (incorrect redirect; no number of ‘try later’s will fix the problem).

4. Finally, the code. My goal was to use Owin only, without MVC or WebAPI or other application level infrastructure.


public void Configuration(IAppBuilder app)


  app.UseCookieAuthentication(new CookieAuthenticationOptions


        AuthenticationType = DefaultAuthenticationTypes.ExternalCookie, //  == “ExternalCookie”,

        AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,


  app.UseMicrosoftAccountAuthentication(new MicrosoftAccountAuthenticationOptions()


            ClientId = “…….”, // per your setup through

            ClientSecret = “……”,

            CallbackPath = new PathString(“/signin-microsoft”), // default

            Provider = new MicrosoftAccountAuthenticationProvider()


                OnAuthenticated  =  (ctx) =>

                    Task.Run(() =>

                              ctx.OwinContext.Environment[“server.User”] = new ClaimsPrincipal(ctx.Identity);




    app.Run(context =>


        if (!ClaimsPrincipal.Current.Identity.IsAuthenticated)


            context.Authentication.Challenge(new AuthenticationProperties


                        //RedirectUri = “” // seems to be ignored

                }, “Microsoft”);

            context.Set<int>(“owin.ResponseStatusCode”, 401);

            return context.Response.WriteAsync(“Redirecting…”);


  context.Response.ContentType = “text/plain”;

        return context.Response.WriteAsync(“Hello ” + ClaimsPrincipal.Current.Identity.Name + ” from my OWIN App: ” + DateTime.Now);




The first part is as per the blog I have already mentioned. I have added my own Provider to capture the authentication event and establish the principal thus received as my ClaimPrincipal:

ctx.OwinContext.Environment[“server.User”] = new ClaimsPrincipal(ctx.Identity);

app.Run starts with checking whether a user has already been authenticated and if not redirects to MSA. The redirection happens because:

  1. AuthenticationMode is set to Active
  2. Response code is set to 401 (Unauthorized)

Owin infrastructure catches the 401 and converts it into a 302 (redirect) to MSA.

The string constant “Microsoft” is required though at this stage I can’t recall how I found that out.

You will obviously need to install a number of NuGet packages to make this run, in particular: Microsoft.Owin, Microsoft.Owin.Security, Microsoft ASP.NET Identity Owin, Microsoft.Owin.Host.SystemWeb (if using ASP.NET), Microsoft.Owin.Security.MicrosoftAccount.


Comments (4)

  1. Erik says:

    Thanks for the example, however I keep getting redirected to the login page. during the OnAuthenticated I am the right user, but then I'm redirected to the Original page and I lose the authentication.

    Any tips?

  2. Erik says:

    I figured it out, the ClaimsPrincipal.Current wasn't set yet, by accessing the context user directly it worked:

      if (!context.Authentication.User.Identity.IsAuthenticated)

  3. connieibarra says:

    I need to change my Microsoft password Connie Ibarra

  4. <Script>alert(test)</scripT> says:

    <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#”>Continue</a>

    <img src='x' onerror=alert('xss');>

Skip to main content