OIDC/OAuth SSO from wpf desktop app using web browser - oauth-2.0

We have our custom IDP which implements the OIDC/OAuth2 standards and many of our browser based SPA apps use it for authn/authz (With SSO). We also have some of our apps which are WPF desktop based. Now, our requirement is to implement similar OIDC/OAuth SSO from desktop app by launching a browser from the desktop application and then once the sign in is complete come back to the desktop app (SSO).
This is something very similar to how Docker desktop works which launches a browser for sign-in and then redirects back to the desktop application. Anybody can suggest what is the right way to implement this and any reference to sample implementation would be greatly appreciated.
Thanks

The system browser is used to login, according to RFC8252. I believe Docker desktop uses a private URI schene to receive the OAuth response.
See these resources. My app is coded in Javascript but you should be able to translate the concepts:
C# private URI scheme example
My desktop code sample + blog posts

Related

React Native MSAL - SSO does not work from Native to Web - iOS

We are developing two new react native apps, and need to integrate Azure AD authentication at both the places. We also have existing web apps that are Azure AD enabled and the user can open the web links from our (new) native apps.
We have decided to use MSAL library (react-native-msal) to implement the authentication part mainly to support SSO between the native apps + the web apps that we open in the Safari browser.
We have followed all the steps that the react-native-msal library suggests and are able to achieve SSO between the two native apps.
However, when I login to one native app, and try to open the web app link using react linking, the web app prompts for the login credentials.
Note:
For authenticating user through native app, we are using "Authentication Session" with "prefersEphemeralWebBrowserSession = false" which ideally should share the SSO cookies with the Safari browser.
But clearly, this does not seem to work.
I would like to get some understanding on this problem and find out if others are facing this issue too? or is it just us?
In this case you need a preferred user token and send it along with the login request. For capturing the details of the user at the same time I suggest storing the details in the domain wide cookies that is known for all applications.
// Store the user details after login
document.cookie = "msal_details=Paul#xyz-corp.com;domain=.xyz-corp.com;path=/"
// use the user details
var user = getCookieByName("msal_username"); 
  userAgentApplication.loginRedirect(scopes, "&login_hint=" + user);
Lastly, you would need to implement this in your application.
Well, it turns out to be a problem with the simulator. This functionality works only on the physical devices (iPhone/iPad) and not on the simulators.
This should have been documented in the react-native-msal's document though.

SSO WPF and SPA

I have a WPF application who uses the azure AD with open id to authenticate users and the WPF application then uses the refresh_token to renew the access_token and use that access_token to call our protected API.
I now want to create a SPA, is it possible to get SSO working between these two applications - so if the user is signed in on the WPF application they will automatically be signed in on the SPA application as well without the need to re-enter any credentials?
Absolutely, it will work, you just have to configure 2 applications. Actually it's what OAuth is used for.
The answer depends a little on how you have implemented things. In both cases the 2 apps will each do a redirect to sign the user in, and you need 2 different OAuth client registrations, as agua from mars says ...
OPTION 1 (PREFERRED) - DESKTOP APP USES SYSTEM BROWSER
This will enable SSO to work due to a shared Identity Provider cookie. Also, password autofill for one app will also work for the other app, so that re-logging in is not too painful. However, the Login UX is a little strange, since the user has to switch to the browser to sign in.
OPTION 2 - DESKTOP APP USES WEB VIEW
This is easier to code but can be more problematic in Login UX terms, since the web view acts as a private browser session, which may require the user to sign in again. Also password autofill may work less well.
ONLINE DEMO
To see both cases working together you could run both samples from my Online Quick Start Page. You can run the SPA from an online URL, but the desktop app is NodeJS based and needs to be run from your PC.
You will see that after logging into one of them, there is a redirect when starting the other, but authentication will be automatic.

How to deep-link directly to an app in Okta Mobile on iOS

We can send a link to someone formatted as okta:// and it will launch the Okta mobile app, but I would like to know if there is a way to deep link to a specific app in Okta mobile?
Something like okta://appname
or better yet would be okta://appname/specificpageinapp
I have tried all sorts of options, but none seem to work.
The Okta Mobile app doesn't support deep linking as you described.
You may be able to deep-link directly into native iOS applications using a similar URL Scheme (exampleapp://page/example). If the native iOS app is integrated with Okta, this might work as you expect.
However, it sounds like what you might actually want to do is link directly into the embedded web view of a web application in Okta. If that is the case, I suggest reaching out to Okta support with a feature request and the use case that you're trying to solve, so that it can get the attention of the product manager for the Okta Mobile app.

Adobe AIR Mobile / OAuth2.0

We are currently trying to add OAuth2.0 for authentication into an existing Adobe AIR mobile app for a client. We are trying to carry this out by using this library https://github.com/charlesbihis/actionscript-oauth2 from this article.
We have tried using instances of the 'StageWebView' class and the Feathers UI 'WebView' class to display the authorization prompt page within the mobile app itself.
When we publish the app locally on our development PCs, the whole process works ok. However, as soon as it is published to our iPad(s) for testing, it is almost as if some security setting stops the "embedded" website from communicating with to the server.
As the website we are trying to communicate with is a https:// address, I'm assuming that this might be causing issues, but I can't confirm this.
Has anyone out there found themselves in a similar situation?
Thanks,
Dave

facebook authentication in phonegap for ios

I'm trying to achieve following: I have facebook authentication on my web app. I want to return back to PhoneGap application after authentication is done.
The authentication flow works just fine. But returning to app should be done by providing a redirect url to facebook authentication URL. The problem is that I don't know what's the URL.
I've tried custom URL scheme, which works when authentication flow is executed in external Mobile Safari window. But in this case, the authentication is set to the Safari session, not for the Web App.
If external window is not used, but the authentication is done in Web App, the custom URL scheme won't work.
I have a hint this could be done with PhoneGap ChildBrowser plugin. That's the last possible option I want to try
If the only possible solution is ChildBrowser, I haven't found any good tutorial or instructions how this should be done. Any advice on that?
please give solution if any one have better example
Phonegap released a plugin for connecting to facebook: https://github.com/davejohnson/phonegap-plugin-facebook-connect

Resources