This blog post is part of a series about how Windows Phone 8.1 affects developers. This blog post talks about how you can use the web authentication broker to authenticate and is written by Andreas Hammar (@andyhammar) at Jayway and was originally posted here.

Intro

Authentication using external services using OAuth/OpenID instead of rolling your own is increasing in popularity for a good reason – it’s a great practice. The Web Authentication Broker (WAB) is a component to simplify this scenario.

The WAB provides these features:

· A simple API

· An integration of the web page of the credentials provider in a system user interface

· Isolation of credentials from the app

 

API

The core API method of the WAB is AuthenticateAndContinue, which also has overloads with more or less options.

AuthenticateAndContinue(Uri requestUri, Uri callbackUri)

The requestUri is the composed uri for the service containing the appSecret etc, the callbackUri is the uri that your app has registered with the service provider. The WAB will listen for a redirect to this uri, stop itself and return the redirect token from the service to the app.

The former is the method used for Single Sign-On (SSO). By not providing a callbackUri, the WAB will use the appId of the phone app as the callbackUri. So for multiple apps to be able to create a SSO scenario, they all have to be registered with their appId as callbackUri. The appId can be viewed using WebAuthenticationBroker.GetCurrentApplicationCallbackUri, an example of it is (eg ms-app://s-1-15-2-1385422425-1305518605-1648009019-4128168865-474403130-3627659409-3578358421/.

Just to give you an example, the start and return uris for Twitter might look like this:

Start:

https://api.twitter.com/oauth/authorize?oauth_token=BzfZ7XXXXXXXXXXXXXXXXXXXXXXXaotpYM

Return:

http://jayway.com/?oauth_token=4XLD6dfXXXXXXXXXXXXXXXXXXXXcIQf7S10&oauth_verifier=Fu7yXXXXXXXXXXXXXXXXXXXXXXXXXXXrpPcKYQ

 

What it looks like

When launching the WAB, it shows a standardized UI with the web page of the service provider. After submitting the credentials, the WAB will also ask whether to remember the credentials.

clip_image002 clip_image004

 

Convergence with Windows

You guessed it, also this class exists on Windows and behaves exactly the same. The authentication UI on Windows has the luxury using some screen real estate to show the originating app’s UI dimmed