How web authentication broker works (Windows Store apps)

The web authentication broker is the broker or facilitator between your app and authentication. It consists of a set of APIs, a broker, and a web host. Your app uses the APIs to communicate with the broker. The broker creates a new web host process in a separate app container. The broker communicates with the app, assembles the user interface (UI), and controls the lifecycle of the web authentication host. The web authentication host renders the pages from the online provider's website.

The following diagram shows the flow of information using web authentication broker.

Data flow for web authentication broker

Typical use

The typical workflow of using web authentication broker is as follows:

  1. An app invokes the web authentication broker providing a request (WebAuthenticationBroker.AuthenticateAsync) and callback URI (WebAuthenticationBroker.GetCurrentApplicationCallbackUri). These correspond to an Authorization Endpoint URI and Redirection URI in the OAuth 2.0 protocol. The OpenID protocol and earlier versions of OAuth have similar concepts.

  2. The broker creates a system dialog box that is modal to the calling app.

  3. The broker selects a dedicated app container that is separate from the calling app or any other app on the system and clears any persisted cookies.

    Note  This app container is never shared between two apps simultaneously unless the broker was started in the single sign-on (SSO) mode.

  4. The broker starts the web authentication host in the selected app container.

  5. The broker attaches the host's window to the dialog box it created earlier. The host window is responsible for rendering the web content.

  6. The web authentication host navigates to the request URI. Typically this is a logon page.

  7. As the user interacts with the online provider website by clicking links or submitting information, the host checks each URI for a match with a callback URI provided by the app before navigating to it.

  8. If a match is found, the host ends the navigation and signals the broker.

  9. The broker takes down the dialog box, clears any persisted cookies created by the host from the app container, and returns the protocol data back to the application.

Having the web authentication host in a separate process and in a separate app container allows user credentials to be separate from the app.

Web authentication broker sample


Connecting to online identity providers