Windows Phone 8.1 for Developers – the Web Authentication Broker

This blog post is part of a series about how Windows Phone 8.1 affects developers. The series is written in collaboration with Microsoft evangelist Peter Bryntesson, check out his blog here.

Intro

Authentication using external services using OAuth/OpenID instead of rolling your own is increasing in popularity for a good reason – it’s a great practice. The Web Authentication Broker (WAB) is a component to simplify this scenario.

The WAB provides these features:

· A simple API

· An integration of the web page of the credentials provider in a system user interface

· Isolation of credentials from the app

API

The core API method of the WAB is AuthenticateAndContinue, which also has overloads with more or less options.

AuthenticateAndContinue(Uri requestUri, Uri callbackUri)

The requestUri is the composed uri for the service containing the appSecret etc, the callbackUri is the uri that your app has registered with the service provider. The WAB will listen for a redirect to this uri, stop itself and return the redirect token from the service to the app.

The former is the method used for Single Sign-On (SSO). By not providing a callbackUri, the WAB will use the appId of the phone app as the callbackUri. So for multiple apps to be able to create a SSO scenario, they all have to be registered with their appId as callbackUri. The appId can be viewed using WebAuthenticationBroker.GetCurrentApplicationCallbackUri, an example of it is (eg ms-app://s-1-15-2-1385422425-1305518605-1648009019-4128168865-474403130-3627659409-3578358421/.

Just to give you an example, the start and return uris for Twitter might look like this:

Start:

https://api.twitter.com/oauth/authorize?oauth_token=BzfZ7XXXXXXXXXXXXXXXXXXXXXXXaotpYM

Return:

Home

What it looks like

When launching the WAB, it shows a standardized UI with the web page of the service provider. After submitting the credentials, the WAB will also ask whether to remember the credentials.

clip_image002 clip_image004

Convergence with Windows

You guessed it, also this class exists on Windows and behaves exactly the same. The authentication UI on Windows has the luxury using some screen real estate to show the originating app’s UI dimmed though.

clip_image006

Links

As always, MSDN has good documentation on this:

Understanding and debugging the web authentication broker workflow

WebAuthenticationBroker sample

WebAuthenticationBroker class

Andreas Hammar, Jayway