locked
Whats WebAuthenticationBroker.getCurrentApplicationCallbackUri() used for?

    Question

  • I though I can use it as an endUri for the WAB, but this does not seem to work.

    From my understanding, the WAB checkes redirects and if they match the URI provided as endUri it will display the close button?

    Tuesday, February 28, 2012 8:48 AM

Answers

  • Excellent news Phil!

    Unfortunately the server is doing the wrong thing (is it yours).  We never respond with a POST to redirects (even in IE).

    This is becaseu we DO follow the RFC(http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html):

    If the 307 status code is received in response to a request other   than GET or HEAD, the user agent MUST NOT automatically redirect the   request unless it can be confirmed by the user, since this might   change the conditions under which the request was issued.

    You can do that manually however but I am sure how much of a hassle that will be for you.

    -Jeff


    Jeff Sanders (MSFT)

    Wednesday, February 29, 2012 1:00 PM
    Moderator

All replies

  • I am doing a simple redirect from the "requestUri" to the "callbackUri" but WAB does not seem to honor this with a "Close" button.

    What do I need to do from the server side to make WAB understand that the user is authenticated? What kind of redirect request do I have to fire from the server? How does WAB detect that the authentication is indeed finished?

    I tried this simple example using Googles OAuth service:

    var callbackUri, registerURI;
        callbackUri = WebAuthenticationBroker.getCurrentApplicationCallbackUri();
        registerURI = new Windows.Foundation.Uri("https://accounts.google.com/o/oauth2/auth?response_type=code&scope=" + (encodeURIComponent('http://www.google.com/calendar/feeds/')) + "&client_id=82374823.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob");
        return WebAuthenticationBroker.authenticateAsync(WebAuthenticationOptions.useTitle, registerURI, new Windows.Foundation.Uri('urn:ietf:wg:oauth:2.0:oob'));

    The "Close" button is not displayed at the end.

    Tuesday, February 28, 2012 10:09 AM
  • It does not show a close button.

    See the RFC:

    http://tools.ietf.org/html/rfc5849#section-2.2

    Specifically it is used in Authorization parameters: oauth_callback

    Each endpoint will determine what UI is shown.  This is an open specification so depending on what your web server is doing, your results will vary.

    The RFC is a great start to understanding how this flow works!

    -Jeff


    Jeff Sanders (MSFT)

    Tuesday, February 28, 2012 4:34 PM
    Moderator
  • Jeff, I got it working. The culprit was "WebAuthenticationOptions.useTitle", which waited to parse a title of the redirected site.

    Now, the docs state, that the

    responseData

    will contain the body in case of a POST request. But I cannot get WAB to follow a 307 POST redirect. It always changes the POST to a GET request, which is against the specs when the server sends a 307 redirect.


    Wednesday, February 29, 2012 7:43 AM
  • Excellent news Phil!

    Unfortunately the server is doing the wrong thing (is it yours).  We never respond with a POST to redirects (even in IE).

    This is becaseu we DO follow the RFC(http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html):

    If the 307 status code is received in response to a request other   than GET or HEAD, the user agent MUST NOT automatically redirect the   request unless it can be confirmed by the user, since this might   change the conditions under which the request was issued.

    You can do that manually however but I am sure how much of a hassle that will be for you.

    -Jeff


    Jeff Sanders (MSFT)

    Wednesday, February 29, 2012 1:00 PM
    Moderator