The WebAuthenticationBroker
is just automating the common technique of looking for a specific URL to navigate to when the authentication is complete and canceling it to extract the access_token
. This is mostly used in mobile apps with an embedded browser. There's no server involved (except the Authorization Server).
There are 2 frequently used authentication flows in OAuth2:
- The authorization code flow
- The implicit grant flow
In #1 you there are 3 pieces: your server, the authorization server (e.g. Facebook) and the browser. On this flow the access_token is negotiated between your server and the AS, and the browser is an intermediary. (more details are described in this article)
In #2 the access_token
is negotiated between the browser (or a browser embedded in a native app) and the AS directly. There are no secrets stored anywhere (as in flow #1). (A summary here)
Your example is using #2 as indicated by the response_type=token
The access_token
is typically returned in an URL of the form:
http://{callback}/#access_token={the access token}
When the browser attempts to navigate to this address the WebAuthenticationBroker
will interrupt the navigation and call your code. You will then extract the access_token
and do whatever your app does with the AS (or your API).
This sample shows how to use it (with our own AS, but you can easily generalize it to any AS).
Note:
access_tokens
are usually opaque entities. There's no encryption or signature or anything. MOre modern systems will return aJson Web Token
, which does have meaning and content and is digitally signed. In the sample above, you will see that in addition anid_token
parameter in addition toaccess_token
. That is a JWT.