Bad request (400) with OAuthWebSecurity.RegisterMicrosoftClient

Question

I am using Microsoft.Web.WebPages.OAuth. I was able to register Google, Facebook, Twitter, Stack Exchange, MyOpenID...

Now I am trying to add Microsoft Live, so I registered:

OAuthWebSecurity.RegisterMicrosoftClient("applicationID", "key");

and called

OAuthWebSecurity.RequestAuthentication("microsoft", Url.Action("Authorization", new { returnUrl = "/" }));

To this point everything is working fine, I get redirected to the login page. The problem is when I come back to

OAuthWebSecurity.VerifyAuthentication();

It says:

The remote server returned an error: (400) Bad Request.

What do I have to do?

Answer 1

I had the same problem. After a lot of research, I came across this bit of source code with the comment:

// Only OAuth2 requires the return url value for the verify authenticaiton step

This means that when you call VerifyAuthentication, you must use the overload that passes the return url for validation by the oauth2 provider (the Microsoft Live ID provider in this case).

Sure enough, when I dig through the walkthrough on the asp.net website, I find that they are indeed passing back the return url, as the url from the action of the callback.

So instead of:

OAuthWebSecurity.VerifyAuthentication();

You need:

var returnUrl = Url.Action("Authorization", new { returnUrl = "/" })
OAuthWebSecurity.VerifyAuthentication(returnUrl);

The return url should match exactly the same as you specified earlier in the RequestAuthentication method.