How do you authenticate to a single Skydrive account and not ask the user for credentials?

Question

I have a client that would like to use SkyDrive as a cloud storage for a web site. This website will not be asking the user of the site for their SkyDrive account to show them their files, but rather the owner of the website will be storing some files in SkyDrive and would like to share them with users logged in to his site. My question is, how can I send credentials to the SkyDrive API directly from the back end PHP code of the website?

The API docs on Live Connect (http://msdn.microsoft.com/en-us/library/live/hh243647.aspx) seem to focus on presenting the user with a log in form to send the user's credentials to the service. Again, that is not what I want. The user of the web site should not have to do anything but go to the page and they will see the files mirrored from the SkyDrive account. The credentials should be stored on the server and sent when the user requests the page.

I asked a question similar to this about Google Docs (How do I connect to the Google Calendar API without the oAuth authentication?). The answer to that question was to setup a temporary script to get a refresh token that could be used over and over again to authenticate. I tried that and it did work. However, I am unsure of how long the refresh token lasts and if that same method would work with the SkyDrive API.

Edit: After doing some more research, the Live Connect Docs (http://msdn.microsoft.com/en-us/library/live/hh826540) say:

After a user provides consent, Live Connect gives your app a special code, or access token, that lets your app work with that portion of the user's info to which he or she consented. Typically, this access token is good for about one hour. After this hour is up, your app won't be able to work with the user's info anymore—it must ask the user to go through the sign-in and consent process again. To get around this, you can ask the user to consent to the wl.offline_access scope. This gives your app an additional code, called a refresh token, that your app can use to get a new access token whenever it needs one—even after the user signs out—typically, for up to a year. However, the user can revoke your app's access at any time. If a user chooses to revoke consent to your app, no corresponding access tokens or refresh tokens will work—your app must ask the user to go through the sign-in and consent process once again.

So, it looks like the refresh token lasts for a year. That means I could rig something to get a refresh token, store that, and on each page request, use the refresh token to get an access token and display the data. However, once a year I would have to update the refresh token for this client and store it. Does that sound right and is this the best way to do it?

Answer 1

OAuth 2 has a special flow exactly for this, called Client Credentials Grant.

Google already implements this with Service Accounts and Client certificates, as was mentioned in this answer to your other question.

However, Microsoft thus far does not implement that flow, so your best way at the moment is to use the workaround you're already using for Google Docs.