locked
Share a session between WebAuthenticationBroker and WebView (Windows Store 8.1 app)

    Question

  • Hi there.

    I want to authenticate user in some service (for example, some cloud storage service) via WebAuthenticationBroker, then user can view his online documents (which are allowed to be viewed only in browser) via WebView. The default behavior is that user have to input his credentials one more time. I don't want to let user leave my app (using Launcher.LaunchUriAsync(...)).

    How to share a session between WebAuthenticationBroker and WebView on Windows Store 8.1 app?

    Wednesday, April 8, 2015 10:27 AM

Answers

  • The authentication cookies or any parameters in the HTTP response used during the Authentication state are only used in the context of the auth broker. The auth broker does not share any session information with independent HTTP requests that the app makes (through XHR, HttpClient or WebView HTTP requests). That is the purpose of the returned Auth token...meaning that your app can retrieve the authtoken (which the Authentication service can append to the ms-app://app-sid?token=authtoken) and then the app can use that authtoken to send it to the service - through a HTTP header for example in the WebView. When the service receives the HTTP header authtoken, it can then decide whether the user is authenticated or not based on the token, rather than depend on the Cookie that was used during the authentication.

    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, April 17, 2015 1:14 AM
    Moderator

All replies

  • When the user authenticates to the service using the WebAuthentication Broker, then at the end of the authentication, the service can return an "access token" which you can use for subsequent requests to that same service. The service can then use that "access token" to make a decision whether the token is active/expired and serve the content based on that. That will prevent the re-authentication.

    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Wednesday, April 8, 2015 11:21 PM
    Moderator
  • That's OK and I know it :)

    But for my scenario this is not the mechanism I want to follow.

    Imagine following:

     - I sign in to some cloud service using broker, get access token and use it for cloud service API

     - I retrieve a file entity from that service using API (note that file entity is ONLY web-accessible, it is similar to Google Docs, for example) and get a link to edit it via WebView

     - I navigate to that link via WebView and due to file access restrictions I have to sign in again.

    I want simple not to sign-in again, so I want to find a way to transfer cookies and other stuff from broker to WebView.

    Thursday, April 16, 2015 2:23 PM
  • The authentication cookies or any parameters in the HTTP response used during the Authentication state are only used in the context of the auth broker. The auth broker does not share any session information with independent HTTP requests that the app makes (through XHR, HttpClient or WebView HTTP requests). That is the purpose of the returned Auth token...meaning that your app can retrieve the authtoken (which the Authentication service can append to the ms-app://app-sid?token=authtoken) and then the app can use that authtoken to send it to the service - through a HTTP header for example in the WebView. When the service receives the HTTP header authtoken, it can then decide whether the user is authenticated or not based on the token, rather than depend on the Cookie that was used during the authentication.

    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, April 17, 2015 1:14 AM
    Moderator