Implementing OAuth 1.0a Authentication Using WebAuthenticationBroker


Implementing OAuth 1.0a Authentication Using WebAuthenticationBroker [PDF 407.62 KB]

What is OAuth?

OAuth is the open standard for the authorization and authentication. OAuth provides a method for clients to access server resources on behalf of a resource owner. It also provides a process for end users to authorize third-party access to their server resources without sharing their credentials (typically, a username and a password), using user-agent redirections.

OAuth 1.0 protocol was published as RFC 5849.

In this article I will show how to simplify implementation of Twitter OAuth 1.0a support in Windows* 8 applications using the WebAuthenticationBroker class.

Twitter OAuth 1.0a authentication flow

Let’s review the Twitter authentication flow.

The application needs to perform three steps to authenticate in Twitter. The sequence of these steps is known as “3-way authentication.”

Step 1: OAuth/request_token

First of all, the application must obtain a request token by making a signed POST request to This request must include the oauth_callback parameter.

The request must be signed as described in this article:

Step 2: OAuth/authenticate

The next step is to direct a user to Twitter to complete the authorization. The application should open the URL in a browser using a GET request with the oauth_token parameter.

After the user is successfully authenticated, the request will be redirected to the oauth_callback URL and contain the oauth_token and oauth_verifier parameters.

Step 3: OAuth/access_token

The last step is to request the access token. To obtain the access token, the application must make a signed POST request to The request must include the oauth_verifier value obtained in Step 2.

If the authentication is successful, then the application will receive oauth_token, oauth_token_secret, user_id and screen_name.

Callback URL for desktop applications

It’s easy to specify a oauth_callback URL for a web site.

But what oauth_callback URL should a developer specify for a Windows 8 application? The application doesn’t have a URL to catch the redirected authentication request at Stage 2.

The developer has two choices.

The first choice is to set oauth_callback to «oob» (out-of-band) pin mode. In this case, the user must enter a PIN code on the screen on Stage 2. The application implements UI controls to enter the PIN code before Stage 3. The user remembers and manually enters the PIN code into the application UI.

The second choice is to use WebAuthenticationBroker and a placeholder URL as oauth_callback.

Simplifying the process using WebAuthenticationBroker class

Developers need to enter a random placeholder URL in the Twitter application settings and send this URL in oauth_callback parameter in Stage 1.

Stage 2 is implemented using WebAuthenticationBroker:

  1. Application calls WebAuthenticationBroker.
  2. WebAuthenticationBroker opens a new browser session separate from the application.
  3. User has the ability to authorize in the browser session.
  4. After the successful authentication, the browser will be redirected to the oauth_callback URL with the oauth_token and oauth_verifier parameters.
  5. WebAuthenticationBroker detects the oauth_callback redirect and provides the parameters to the application.
  6. The application stores these parameters for Stage 3.

As a result, a user doesn’t need to remember and enter a PIN code manually in the application UI.

Here is a code sample (a modified MSDN version):

/* MSDN code sample: */
/* Stage 2: OAuth/authenticate */

// Placeholder URL should be specified in Twitter Application settings
String oauth_callback = "";

// doc:
String TwitterURL = "" + oauth_token;

System.Uri StartUri = new Uri(TwitterURL);
System.Uri EndUri = new Uri(oauth_callback);

WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync(
if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.Success)
else if (WebAuthenticationResult.ResponseStatus == WebAuthenticationStatus.ErrorHttp)
    OutputToken("HTTP Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseErrorDetail.ToString());
    OutputToken("Error returned by AuthenticateAsync() : " + WebAuthenticationResult.ResponseStatus.ToString());


Software License

This code leverages sample software obtained from MSDN under the MS-LPL license. For additional details please refer to MSDN terms of service:

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.


For more complete information about compiler optimizations, see our Optimization Notice.