How do I avoid Windows Live appending "popopui=1" to my authorize request?


  • Given a typical request URL such as;


    Window Live sends me a 302 for https://login.live.com/login.srf?.....

    but how do I stop it appending "popupui=1" to end? I'm not launching it in a popup and I'm using the page redirect method. The difference that flag makes is that when popupui=0 Windows Live displays the full page layout whereas the popupui is a smaller, more minimal set of fields.

    Daniel Sinclair

    Tuesday, July 30, 2013 12:09 PM

All replies

  • oauth.live.com is actually a legacy endpoint.  Have you tried using login.live.com as described here:


    Carl Hirschman

    Tuesday, July 30, 2013 7:56 PM
  • I'm now using the oauth2 endpoint (login.live.com/oauth20_authorize.srf) 

    and I get the same issue. According to the docs I should be able to influence the redirect paramater with &mode=page but it doesn't work (see http://stackoverflow.com/questions/17942975/dotnetopenauth-aspnet-how-to-avoid-popupui-1-on-windows-live).

    I want the login page to have either popupui=0 or remove the parameter altogether so I get the branded version; https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/images/Security.jpg

    Daniel Sinclair

    Thursday, October 24, 2013 1:01 PM
  • Would you be able to provide a code sample and a Fiddler trace? 

    Carl Hirschman

    Thursday, October 24, 2013 5:57 PM
  • Easier than that, I can just give you a clickable link (make sure you logout of microsoft first);

    This should give the full branded experience I believe;


    But it's exactly the same as the popup version;


    Only this one is different;


    I can list links for the legacy endpoints which seem to do redirect involving popupui=0|1 but the net result is exactly the same.

    Daniel Sinclair

    Thursday, October 24, 2013 9:38 PM
  • I just followed up internally.

    Unfortunately, it looks like we don't currently support a full frame OAuth experience for 3rd party applications.

    Carl Hirschman

    Thursday, October 24, 2013 11:18 PM
  • I figured as much. It *looks* like there's a proprietary url parameter for branding used by Microsoft across their products but I'd hoped that there would be a Microsoft account default.

    The trouble with the unbranded version is that the user doesn't immediately recognise the login screen as belonging to their Microsoft account. It would surely be sensible to display the branding image from the generic Microsoft Account product no?

    I don't need to be able to brand it with my own app, I just specifically wish for your users to feel safe and comfortable that they're entering microsoft details in a microsoft site.

    I know they can look at the URL but it's not terribly polished - it looks unfinished.

    Incidentally, I don't think popup support only is realistic. The whole point of a full page redirect is to assure they user they are entering their password on the microsoft site and not ours. With a popup this is not so clear.

    Daniel Sinclair

    Friday, October 25, 2013 1:12 PM