0

This is a .Net WinForms application. It uses a webbrowser control in performing an OAuth2 process. In this scenario, once a User grants agreement for our app to access their Account( on Constant Contact ), the redirect URL will contain an authorization code which we can use to acquire an access token. But the redirect navigation never takes place. So we do not receive the URL containing the authorization code. The webbrowser does not navigate from the "Allow/Don't Allow" page. When looking at this in Fiddler. When the User clicks "Allow", the Response header does include the code. But Fiddler also shows the session being aborted when SendingResponse. Which, i presume, is why the only further feedback we get from our webbrowser control is "_javascript:void(0)".

This the Response Header( from Fiddler ): CODE response

HTTP/1.1 302 Found
Date: Sat, 14 Dec 2019 17:05:41 GMT
Content-Security-Policy: referrer origin
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html; charset=UTF-8
**Location: https://www.vinnow.com?code=wL9Iu2J6xpnmT7joclc4lgb4dtVF__12345**
Content-Length: 0

These are the associated Session Properties:

SESSION STATE: Aborted. 
Request Entity Size: 129 bytes. 
Response Entity Size: 0 bytes.

== FLAGS ==================
BitFlags: [IsHTTPS, ClientPipeReused, ServerPipeReused] 0x19
**X-ABORTED-WHEN: SendingResponse**
X-CLIENTIP: 127.0.0.1
X-CLIENTPORT: 58424
X-EGRESSPORT: 58425
X-HOSTIP: 208.75.122.17
X-PROCESSINFO: testctct.vshost:22196
X-RESPONSEBODYTRANSFERLENGTH: 0
X-SERVERSOCKET: REUSE ServerPipe#457

I would like to know if there is a way i can determine which side aborted the session( client / server)? And why it is getting aborted?

I've tried this process using numerous configurations for the webbrowser. Always the same result. Even tested using "webbrowser2" so i can trap any navigation errors. There were none. Same result. If this process is executed via regular browser, or via Postman, it completes successfully.

There is an alternate OAuth2 process which, instead of returning an authorization code, returns an access token. But that access token is short lived and has no refresh token. That particular process completes successfully using same webbrowser and same procedure.....User Login.....User Allows...redirect to provided URL.

raleigh5
  • 1
  • 1
  • Have you modified the WebBrowser emulation feature, as show, for example, here: [How can I get the WebBrowser control to show modern contents?](https://stackoverflow.com/a/38514446/7444103) and here: [Web browser control emulation issue (FEATURE_BROWSER_EMULATION)](https://stackoverflow.com/a/28626667/7444103) – Jimi Dec 19 '19 at 20:03
  • Yes, i have. Thanks. What really puzzles me is why the redirect works when request is for a temp access token, but fails when request is for an auth. code. – raleigh5 Dec 19 '19 at 20:19

0 Answers0