Implementing OAuth 1.0a Authentication Using
WebAuthenticationBroker
What is OAuth? OAuth is the open standard for the authorization and authentication. OAuth provides a method for
clients to access server resources on behalf of a resource owner. It also provides a process for end users
to authorize third-party access to their server resources without sharing their credentials (typically, a
username and a password), using user-agent redirections.
OAuth 1.0 protocol was published as RFC 5849.
In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8
applications using the WebAuthenticationBroker class.
Twitter OAuth 1.0a authentication flow Let’s review the Twitter authentication flow.
The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is
known as “3-way authentication.”
Step 1: OAuth/request_token
First of all, the application must obtain a request token by making a signed POST request to
https://api.twitter.com/oauth/request_token. This request must include the oauth_callback parameter.
The request must be signed as described in this article: https://dev.twitter.com/docs/auth/authorizing-
request.
Step 2: OAuth/authenticate
The next step is to direct a user to Twitter to complete the authorization. The application should open
the https://api.twitter.com/oauth/authenticate URL in a browser using a GET request with the
oauth_token parameter.
After the user is successfully authenticated, the request will be redirected to the oauth_callback URL
and contain the oauth_token and oauth_verifier parameters.
Step 3: OAuth/access_token
The last step is to request the access token. To obtain the access token, the application must make a
signed POST request to https://api.twitter.com/oauth/access_token. The request must include the
oauth_verifier value obtained in Step 2.
If the authentication is successful, then the application will receive oauth_token, oauth_token_secret,
user_id and screen_name.
Callback URL for desktop applications
It’s easy to specify a oauth_callback URL for a web site.
But what oauth_callback URL should a developer specify for a Windows 8 application? The application
doesn’t have a URL to catch the redirected authentication request at Stage 2.
The developer has two choices.
The first choice is to set oauth_callback to «oob» (out-of-band) pin mode. In this case, the user must
enter a PIN code on the screen on Stage 2. The application implements UI controls to enter the PIN code
before Stage 3. The user remembers and manually enters the PIN code into the application UI.
The second choice is to use WebAuthenticationBroker and a placeholder URL as oauth_callback.
Simplifying the process using WebAuthenticationBroker class Developers need to enter a random placeholder URL in the Twitter application settings and send this
URL in oauth_callback parameter in Stage 1.
Stage 2 is implemented using WebAuthenticationBroker:
1. Application calls WebAuthenticationBroker.
2. WebAuthenticationBroker opens a new browser session separate from the application.
3. User has the ability to authorize in the browser session.
4. After the successful authentication, the browser will be redirected to the oauth_callback URL
with the oauth_token and oauth_verifier parameters.
5. WebAuthenticationBroker detects the oauth_callback redirect and provides the parameters to
the application.
6. The application stores these parameters for Stage 3.
As a result, a user doesn’t need to remember and enter a PIN code manually in the application UI.
Here is a code sample (a modified MSDN version):
/* MSDN code sample: http://msdn.microsoft.com/library/windows/apps/br227025 */ /* Stage 2: OAuth/authenticate */ // Placeholder URL should be specified in Twitter Application settings String oauth_callback = "https://myurl.com"; // doc: https://dev.twitter.com/docs/api/1/get/oauth/authenticate String TwitterURL = "https://api.twitter.com/oauth/authenticate?oauth_token=" + oauth_token; System.Uri StartUri = new Uri(TwitterURL); System.Uri EndUri = new Uri(oauth_callback);
WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync( WebAuthenticationOptions.None, StartUri, EndUri); if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.Success) { OutputToken(WebAuthenticationResult.ResponseData.ToString()); } else if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.ErrorHttp) { OutputToken("HTTP Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseErrorDetail.ToString()); } else { OutputToken("Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseStatus.ToString()); }
References
RFC 5849 - The OAuth 1.0 Protocol
Implementing Sign in with Twitter
WebAuthenticationBroker class
Software License This code leverages sample software obtained from MSDN under the MS-LPL license. For additional
details please refer to MSDN terms of service: http://msdn.microsoft.com/en-us/cc300389.aspx#B
Notices
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS
OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS
DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL
ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO
SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A
PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER
INTELLECTUAL PROPERTY RIGHT.
UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR
ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL
INJURY OR DEATH MAY OCCUR.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not
rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel
reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities
arising from future changes to them. The information here is subject to change without notice. Do not finalize a
design with this information.
The products described in this document may contain design defects or errors known as errata which may cause
the product to deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your
product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature,
may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm
Software and workloads used in performance tests may have been optimized for performance only on Intel
microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer
systems, components, software, operations, and functions. Any change to any of those factors may cause the
results to vary. You should consult other information and performance tests to assist you in fully evaluating your
contemplated purchases, including the performance of that product when combined with other products.
Any software source code reprinted in this document is furnished under a software license and may only be used
or copied in accordance with the terms of that license.
Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.