Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication

  • View
    220

  • Download
    8

Embed Size (px)

Transcript

  • Implementing OAuth 1.0a Authentication Using

    WebAuthenticationBroker

    What is OAuth? OAuth is the open standard for the authorization and authentication. OAuth provides a method for

    clients to access server resources on behalf of a resource owner. It also provides a process for end users

    to authorize third-party access to their server resources without sharing their credentials (typically, a

    username and a password), using user-agent redirections.

    OAuth 1.0 protocol was published as RFC 5849.

    In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8

    applications using the WebAuthenticationBroker class.

    Twitter OAuth 1.0a authentication flow Lets review the Twitter authentication flow.

    The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is

    known as 3-way authentication.

    Step 1: OAuth/request_token

    First of all, the application must obtain a request token by making a signed POST request to

    https://api.twitter.com/oauth/request_token. This request must include the oauth_callback parameter.

    The request must be signed as described in this article: https://dev.twitter.com/docs/auth/authorizing-

    request.

    Step 2: OAuth/authenticate

    The next step is to direct a user to Twitter to complete the authorization. The application should open

    the https://api.twitter.com/oauth/authenticate URL in a browser using a GET request with the

    oauth_token parameter.

    After the user is successfully authenticated, the request will be redirected to the oauth_callback URL

    and contain the oauth_token and oauth_verifier parameters.

    https://api.twitter.com/oauth/request_tokenhttps://dev.twitter.com/docs/auth/authorizing-requesthttps://dev.twitter.com/docs/auth/authorizing-requesthttps://api.twitter.com/oauth/authenticate

  • Step 3: OAuth/access_token

    The last step is to request the access token. To obtain the access token, the application must make a

    signed POST request to https://api.twitter.com/oauth/access_token. The request must include the

    oauth_verifier value obtained in Step 2.

    If the authentication is successful, then the application will receive oauth_token, oauth_token_secret,

    user_id and screen_name.

    Callback URL for desktop applications

    Its easy to specify a oauth_callback URL for a web site.

    But what oauth_callback URL should a developer specify for a Windows 8 application? The application

    doesnt have a URL to catch the redirected authentication request at Stage 2.

    The developer has two choices.

    The first choice is to set oauth_callback to oob (out-of-band) pin mode. In this case, the user must

    enter a PIN code on the screen on Stage 2. The application implements UI controls to enter the PIN code

    before Stage 3. The user remembers and manually enters the PIN code into the application UI.

    The second choice is to use WebAuthenticationBroker and a placeholder URL as oauth_callback.

    Simplifying the process using WebAuthenticationBroker class Developers need to enter a random placeholder URL in the Twitter application settings and send this

    URL in oauth_callback parameter in Stage 1.

    Stage 2 is implemented using WebAuthenticationBroker:

    1. Application calls WebAuthenticationBroker.

    2. WebAuthenticationBroker opens a new browser session separate from the application.

    3. User has the ability to authorize in the browser session.

    4. After the successful authentication, the browser will be redirected to the oauth_callback URL

    with the oauth_token and oauth_verifier parameters.

    5. WebAuthenticationBroker detects the oauth_callback redirect and provides the parameters to

    the application.

    6. The application stores these parameters for Stage 3.

    As a result, a user doesnt need to remember and enter a PIN code manually in the application UI.

    Here is a code sample (a modified MSDN version):

    /* MSDN code sample: http://msdn.microsoft.com/library/windows/apps/br227025 */ /* Stage 2: OAuth/authenticate */ // Placeholder URL should be specified in Twitter Application settings String oauth_callback = "https://myurl.com"; // doc: https://dev.twitter.com/docs/api/1/get/oauth/authenticate String TwitterURL = "https://api.twitter.com/oauth/authenticate?oauth_token=" + oauth_token; System.Uri StartUri = new Uri(TwitterURL); System.Uri EndUri = new Uri(oauth_callback);

  • WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync( WebAuthenticationOptions.None, StartUri, EndUri); if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.Success) { OutputToken(WebAuthenticationResult.ResponseData.ToString()); } else if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.ErrorHttp) { OutputToken("HTTP Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseErrorDetail.ToString()); } else { OutputToken("Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseStatus.ToString()); }

    References

    RFC 5849 - The OAuth 1.0 Protocol

    Implementing Sign in with Twitter

    WebAuthenticationBroker class

    Software License This code leverages sample software obtained from MSDN under the MS-LPL license. For additional

    details please refer to MSDN terms of service: http://msdn.microsoft.com/en-us/cc300389.aspx#B

    Notices

    INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS

    OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS

    DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL

    ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO

    SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A

    PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER

    INTELLECTUAL PROPERTY RIGHT.

    UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR

    ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL

    INJURY OR DEATH MAY OCCUR.

    Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not

    rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel

    reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities

    arising from future changes to them. The information here is subject to change without notice. Do not finalize a

    design with this information.

    The products described in this document may contain design defects or errors known as errata which may cause

    the product to deviate from published specifications. Current characterized errata are available on request.

    http://tools.ietf.org/html/rfc5849https://dev.twitter.com/docs/auth/implementing-sign-twitterhttp://msdn.microsoft.com/library/windows/apps/br227025http://msdn.microsoft.com/en-us/cc300389.aspx%23B

  • Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your

    product order.

    Copies of documents which have an order number and are referenced in this document, or other Intel literature,

    may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

    Software and workloads used in performance tests may have been optimized for performance only on Intel

    microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer

    systems, components, software, operations, and functions. Any change to any of those factors may cause the

    results to vary. You should consult other information and performance tests to assist you in fully evaluating your

    contemplated purchases, including the performance of that product when combined with other products.

    Any software source code reprinted in this document is furnished under a software license and may only be used

    or copied in accordance with the terms of that license.

    Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

    Copyright 2013 Intel Corporation. All rights reserved.

    *Other names and brands may be claimed as the property of others.

    http://www.intel.com/design/literature.htm