Authentication using external services using OAuth/OpenID instead of rolling your own is increasing in popularity for a good reason – it’s a great practice. The Web Authentication Broker (WAB) is a component to simplify this scenario.
The WAB provides these features:
· A simple API
· An integration of the web page of the credentials provider in a system user interface
· Isolation of credentials from the app
The core API method of the WAB is AuthenticateAndContinue, which also has overloads with more or less options.
AuthenticateAndContinue(Uri requestUri, Uri callbackUri)
The requestUri is the composed uri for the service containing the appSecret etc, the callbackUri is the uri that your app has registered with the service provider. The WAB will listen for a redirect to this uri, stop itself and return the redirect token from the service to the app.
The former is the method used for Single Sign-On (SSO). By not providing a callbackUri, the WAB will use the appId of the phone app as the callbackUri. So for multiple apps to be able to create a SSO scenario, they all have to be registered with their appId as callbackUri. The appId can be viewed using WebAuthenticationBroker.GetCurrentApplicationCallbackUri, an example of it is (eg ms-app://s-1-15-2-1385422425-1305518605-1648009019-4128168865-474403130-3627659409-3578358421/.
Just to give you an example, the start and return uris for Twitter might look like this:
What it looks like
When launching the WAB, it shows a standardized UI with the web page of the service provider. After submitting the credentials, the WAB will also ask whether to remember the credentials.
Convergence with Windows
You guessed it, also this class exists on Windows and behaves exactly the same. The authentication UI on Windows has the luxury using some screen real estate to show the originating app’s UI dimmed though.
As always, MSDN has good documentation on this:
Andreas Hammar, Jayway