1

I've been searching for hours and couldn't find any solution to this problem.

I'm developing a UWP App and I have a WebView that goes to a website (where the user authenticates) and I should be able to get the access_token after he logs in.

Is there a way to get the response header from the page?

Or do I have to do everything manually (create the HttpClient, send the POST with the login info, and get the header response that way?)

Martin Zikmund
  • 38,440
  • 7
  • 70
  • 91
LoadIt
  • 137
  • 1
  • 1
  • 9
  • I think it is better to create an ui for the login and then you can use the httpclient. It is not using so much internet data and it is better for the user experience... – juliushuck Oct 31 '18 at 15:55
  • hmm Ok, I'll let the post open for a few more hours just to see if someone knows a way of doing it (I don't think it's worth, since doing a custom login takes 5m) But just out of curiosity. – LoadIt Oct 31 '18 at 16:26

1 Answers1

1

First and foremost, the latest guidance is that authentication should not be done inside a web view, the modern approach is to open external browser window, where the user authenticates and is then redirected back to the app using a custom URI scheme. See a detailed post on this here on SO.

Now, the unfortunate answer is that WebView does not offer a built-in way to access the HTTP response and its headers. This has been requested (see for example this blog post by Martin Suchan), but was not implemented so far. If you have control over the web page, then you could store the authentication info in cookies, which are accessible. Not even injecting custom JavaScript can help here, because getting the HTTP headers is possible if you initiate an AJAX request in JS, but you can't get headers for a page that is already loaded.

As mentioned in comments above, the better solution would be to code the login manually using HttpClient or see if the service support a proper OAuth2/OpenID Connect flow in which case you could use a library like IdentityModel.OidcClient2 which can handle most of the heavy lifting for you.

You can also use the built-in WebAuthenticationBroker, see docs here.

Martin Zikmund
  • 38,440
  • 7
  • 70
  • 91
  • So if I understood everything correctly, I can't do this the way I was thinking. Since a solution for it would be opening the login page in the default browser (in a separate view window) do you have any example that u can handle me? So the user can authenticate and I get back the authentication token in the app. – LoadIt Oct 31 '18 at 17:55
  • Yes, with current version of `WebView` it would be very hard to do. Are you the developer of the website? – Martin Zikmund Oct 31 '18 at 18:00
  • No, I've been lookin some examples from MSDN using Facebook, google, etc but I want to do it for discord. – LoadIt Oct 31 '18 at 18:09
  • The bad thing is each authentication flow is different, unless they are using some standard like Oauth or Open ID connect – Martin Zikmund Oct 31 '18 at 18:10
  • So the external browser flow might not even be supported by the API... It really depends on the website, don't they provide some kind of documentation? – Martin Zikmund Oct 31 '18 at 18:11
  • Yes, they have the api documentation and they use OAuth2 https://discordapp.com/developers/docs/intro – LoadIt Oct 31 '18 at 18:14
  • I've been doing some experiments sending requests to the website based on what the browser sends (after having the user token (got it from my account, inspecting the network so I could know what to send) and it works perfecly. But I didn't want to do the same for the login information. – LoadIt Oct 31 '18 at 18:16
  • Because I'm worried with the security of doing it that way (asking the user id and password to send the login info to the website and get the token). That's why I'm trying to get another way where I can just skip the user login information, let it to the official website and just get the authentication token – LoadIt Oct 31 '18 at 18:18
  • Oh I see! Because it is Oauth2, you could use the `WebAuthenticationBroker` see docs and sample - https://learn.microsoft.com/en-us/windows/uwp/security/web-authentication-broker – Martin Zikmund Oct 31 '18 at 18:38
  • According to the documentation it seems that the OAuth2 is not used for user login (only bots login). So it has to use the username/password style. – LoadIt Oct 31 '18 at 18:51