implementing oauth 1.0a authentication using ... oauth 1.0a authentication using...

4
Implementing OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication. OAuth provides a method for clients to access server resources on behalf of a resource owner. It also provides a process for end users to authorize third-party access to their server resources without sharing their credentials (typically, a username and a password), using user-agent redirections. OAuth 1.0 protocol was published as RFC 5849. In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8 applications using the WebAuthenticationBroker class. Twitter OAuth 1.0a authentication flow Let’s review the Twitter authentication flow. The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is known as “3-way authentication.” Step 1: OAuth/request_token First of all, the application must obtain a request token by making a signed POST request to https://api.twitter.com/oauth/request_token. This request must include the oauth_callback parameter. The request must be signed as described in this article: https://dev.twitter.com/docs/auth/authorizing- request. Step 2: OAuth/authenticate The next step is to direct a user to Twitter to complete the authorization. The application should open the https://api.twitter.com/oauth/authenticate URL in a browser using a GET request with the oauth_token parameter. After the user is successfully authenticated, the request will be redirected to the oauth_callback URL and contain the oauth_token and oauth_verifier parameters.

Upload: trinhthien

Post on 28-Mar-2018

237 views

Category:

Documents


8 download

TRANSCRIPT

Page 1: Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication

Implementing OAuth 1.0a Authentication Using

WebAuthenticationBroker

What is OAuth? OAuth is the open standard for the authorization and authentication. OAuth provides a method for

clients to access server resources on behalf of a resource owner. It also provides a process for end users

to authorize third-party access to their server resources without sharing their credentials (typically, a

username and a password), using user-agent redirections.

OAuth 1.0 protocol was published as RFC 5849.

In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8

applications using the WebAuthenticationBroker class.

Twitter OAuth 1.0a authentication flow Let’s review the Twitter authentication flow.

The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is

known as “3-way authentication.”

Step 1: OAuth/request_token

First of all, the application must obtain a request token by making a signed POST request to

https://api.twitter.com/oauth/request_token. This request must include the oauth_callback parameter.

The request must be signed as described in this article: https://dev.twitter.com/docs/auth/authorizing-

request.

Step 2: OAuth/authenticate

The next step is to direct a user to Twitter to complete the authorization. The application should open

the https://api.twitter.com/oauth/authenticate URL in a browser using a GET request with the

oauth_token parameter.

After the user is successfully authenticated, the request will be redirected to the oauth_callback URL

and contain the oauth_token and oauth_verifier parameters.

Page 2: Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication

Step 3: OAuth/access_token

The last step is to request the access token. To obtain the access token, the application must make a

signed POST request to https://api.twitter.com/oauth/access_token. The request must include the

oauth_verifier value obtained in Step 2.

If the authentication is successful, then the application will receive oauth_token, oauth_token_secret,

user_id and screen_name.

Callback URL for desktop applications

It’s easy to specify a oauth_callback URL for a web site.

But what oauth_callback URL should a developer specify for a Windows 8 application? The application

doesn’t have a URL to catch the redirected authentication request at Stage 2.

The developer has two choices.

The first choice is to set oauth_callback to «oob» (out-of-band) pin mode. In this case, the user must

enter a PIN code on the screen on Stage 2. The application implements UI controls to enter the PIN code

before Stage 3. The user remembers and manually enters the PIN code into the application UI.

The second choice is to use WebAuthenticationBroker and a placeholder URL as oauth_callback.

Simplifying the process using WebAuthenticationBroker class Developers need to enter a random placeholder URL in the Twitter application settings and send this

URL in oauth_callback parameter in Stage 1.

Stage 2 is implemented using WebAuthenticationBroker:

1. Application calls WebAuthenticationBroker.

2. WebAuthenticationBroker opens a new browser session separate from the application.

3. User has the ability to authorize in the browser session.

4. After the successful authentication, the browser will be redirected to the oauth_callback URL

with the oauth_token and oauth_verifier parameters.

5. WebAuthenticationBroker detects the oauth_callback redirect and provides the parameters to

the application.

6. The application stores these parameters for Stage 3.

As a result, a user doesn’t need to remember and enter a PIN code manually in the application UI.

Here is a code sample (a modified MSDN version):

/* MSDN code sample: http://msdn.microsoft.com/library/windows/apps/br227025 */ /* Stage 2: OAuth/authenticate */ // Placeholder URL should be specified in Twitter Application settings String oauth_callback = "https://myurl.com"; // doc: https://dev.twitter.com/docs/api/1/get/oauth/authenticate String TwitterURL = "https://api.twitter.com/oauth/authenticate?oauth_token=" + oauth_token; System.Uri StartUri = new Uri(TwitterURL); System.Uri EndUri = new Uri(oauth_callback);

Page 3: Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication

WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync( WebAuthenticationOptions.None, StartUri, EndUri); if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.Success) { OutputToken(WebAuthenticationResult.ResponseData.ToString()); } else if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.ErrorHttp) { OutputToken("HTTP Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseErrorDetail.ToString()); } else { OutputToken("Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseStatus.ToString()); }

References

RFC 5849 - The OAuth 1.0 Protocol

Implementing Sign in with Twitter

WebAuthenticationBroker class

Software License This code leverages sample software obtained from MSDN under the MS-LPL license. For additional

details please refer to MSDN terms of service: http://msdn.microsoft.com/en-us/cc300389.aspx#B

Notices

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS

OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS

DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL

ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO

SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A

PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER

INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR

ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL

INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not

rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel

reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities

arising from future changes to them. The information here is subject to change without notice. Do not finalize a

design with this information.

The products described in this document may contain design defects or errors known as errata which may cause

the product to deviate from published specifications. Current characterized errata are available on request.

Page 4: Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your

product order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature,

may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

Software and workloads used in performance tests may have been optimized for performance only on Intel

microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer

systems, components, software, operations, and functions. Any change to any of those factors may cause the

results to vary. You should consult other information and performance tests to assist you in fully evaluating your

contemplated purchases, including the performance of that product when combined with other products.

Any software source code reprinted in this document is furnished under a software license and may only be used

or copied in accordance with the terms of that license.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

Copyright © 2013 Intel Corporation. All rights reserved.

*Other names and brands may be claimed as the property of others.