Implementing OAuth 1.0a Authentication Using ... OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication.

  • Published on

  • View

  • Download


Implementing OAuth 1.0a Authentication Using WebAuthenticationBroker What is OAuth? OAuth is the open standard for the authorization and authentication. OAuth provides a method for clients to access server resources on behalf of a resource owner. It also provides a process for end users to authorize third-party access to their server resources without sharing their credentials (typically, a username and a password), using user-agent redirections. OAuth 1.0 protocol was published as RFC 5849. In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8 applications using the WebAuthenticationBroker class. Twitter OAuth 1.0a authentication flow Lets review the Twitter authentication flow. The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is known as 3-way authentication. Step 1: OAuth/request_token First of all, the application must obtain a request token by making a signed POST request to This request must include the oauth_callback parameter. The request must be signed as described in this article: Step 2: OAuth/authenticate The next step is to direct a user to Twitter to complete the authorization. The application should open the URL in a browser using a GET request with the oauth_token parameter. After the user is successfully authenticated, the request will be redirected to the oauth_callback URL and contain the oauth_token and oauth_verifier parameters. 3: OAuth/access_token The last step is to request the access token. To obtain the access token, the application must make a signed POST request to The request must include the oauth_verifier value obtained in Step 2. If the authentication is successful, then the application will receive oauth_token, oauth_token_secret, user_id and screen_name. Callback URL for desktop applications Its easy to specify a oauth_callback URL for a web site. But what oauth_callback URL should a developer specify for a Windows 8 application? The application doesnt have a URL to catch the redirected authentication request at Stage 2. The developer has two choices. The first choice is to set oauth_callback to oob (out-of-band) pin mode. In this case, the user must enter a PIN code on the screen on Stage 2. The application implements UI controls to enter the PIN code before Stage 3. The user remembers and manually enters the PIN code into the application UI. The second choice is to use WebAuthenticationBroker and a placeholder URL as oauth_callback. Simplifying the process using WebAuthenticationBroker class Developers need to enter a random placeholder URL in the Twitter application settings and send this URL in oauth_callback parameter in Stage 1. Stage 2 is implemented using WebAuthenticationBroker: 1. Application calls WebAuthenticationBroker. 2. WebAuthenticationBroker opens a new browser session separate from the application. 3. User has the ability to authorize in the browser session. 4. After the successful authentication, the browser will be redirected to the oauth_callback URL with the oauth_token and oauth_verifier parameters. 5. WebAuthenticationBroker detects the oauth_callback redirect and provides the parameters to the application. 6. The application stores these parameters for Stage 3. As a result, a user doesnt need to remember and enter a PIN code manually in the application UI. Here is a code sample (a modified MSDN version): /* MSDN code sample: */ /* Stage 2: OAuth/authenticate */ // Placeholder URL should be specified in Twitter Application settings String oauth_callback = ""; // doc: String TwitterURL = "" + oauth_token; System.Uri StartUri = new Uri(TwitterURL); System.Uri EndUri = new Uri(oauth_callback); WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync( WebAuthenticationOptions.None, StartUri, EndUri); if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.Success) { OutputToken(WebAuthenticationResult.ResponseData.ToString()); } else if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.ErrorHttp) { OutputToken("HTTP Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseErrorDetail.ToString()); } else { OutputToken("Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseStatus.ToString()); } References RFC 5849 - The OAuth 1.0 Protocol Implementing Sign in with Twitter WebAuthenticationBroker class Software License This code leverages sample software obtained from MSDN under the MS-LPL license. For additional details please refer to MSDN terms of service: Notices INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. Copyright 2013 Intel Corporation. All rights reserved. *Other names and brands may be claimed as the property of others.


View more >