I am using the new OAuthWebSecurity wrapper for DotNetOpenAuth to allow users to log in to an MVC4 application with their Microsoft Account (aka Windows Live ID).
I have registered the microsoft client:
OAuthWebSecurity.RegisterMicrosoftClient(clientId: "...", clientSecret: "...");
It is all working, and I love the simplicity of it. But how do I refine what it's doing?
After selecting to log in with their Microsoft Account, the user is taken to a screen asking them to log in:
When they log in, I want them to be able to check the "keep me signed in" box.
Microsoft then asks for them to OK my access:
But I don't actually want that much access. All I want is their name and email address. And maybe their picture. I certainly don't need or want access to their contacts and friends. This is going to scare off my users.
Where can I pass parameters to OAuthWebSecurity or DotNetOpenAuth to control this?
So the user clicks yes and all is ok. However, when they leave and come back to my site - the "keep me signed in" option should have been honored. It isn't. Instead, they see this:
I don't understand the message that says:
Because you're accessing sensitive info, you need to verify your password.
What sensitive info? The contacts/friends I didn't want to begin with? Or something else?
How can I get around these two issues to make my application more user-friendly?