Xamarin Android WebView Authentication

The WebView browser component is commonly used to render web content within a native application layout. When the content is secured, it is required for the app to authenticate with the Web server first.  When using the WebView component, we can leverage the component events (HTTP pipeline) to detect a challenge-response authentication event from the server and automatically login our app.

Challenge Response Security

The challenge-response interaction is a security protocol (HTTP 401) event in which a server challenges the identity of a client, and the browser responds with the security credentials required to access the content. If the required credentials are not validated, the content is forbidden to the app. We can leverage this interaction to send the impersonating identity to the server by extending the WebViewClient class and overriding the authentication event. Let’s take a look.

Extending the WebViewClient Class

In order to write a handler for the challenge-response event, we need to extend the WebViewClient class. We start by implementing a constructor that can take the credential information. This enables the activity that instantiates our class to manage the credential information and just pass it to our class during the class instantiation.

internal class AuthWebViewClient : WebViewClient
    public string Username { get; }
    public string Password { get; }
    private int LoginCount = 0;
    /// <summary>
    /// gets the user credentials for the impersonation process
    /// </summary>
    /// <param name="username"></param>
    /// <param name="password"></param>
    public AuthWebViewClient(string username, string password)
        Username = username;
        Password = password;          
    /// <summary>
    /// handles the authentication with the website.
    /// </summary>
    /// <param name="view"></param>
    /// <param name="handler"></param>
    /// <param name="host"></param>
    /// <param name="realm"></param>
    /// <remarks>
    /// </remarks>
    public override void OnReceivedHttpAuthRequest(WebView view, HttpAuthHandler handler, string host, string realm)
            if (LoginCount < 3)
                handler.Proceed(Username, Password);
                LoginCount = 0;
        catch (Exception ex)
            Toast.MakeText(Application.Context, ex.Message, ToastLength.Long).Show();

Handling the Authentication

When we extend the WebViewClient class, we can override some of the class events. For the authentication pipeline, we override the OnReceivedHttpAuthRequest event which provides a reference to the HttpAuthHandler object. This object provides the Proceed method which we use to send the login credentials to the server.

One important area to note here is that if there is a problem with the credentials that we send to the server, the HTTP 401 event will continue to be sent back from the server. This can create a loop between the browser and server. To prevent this, we track the number of attempts, and cancel the authentication when the limit is met. This is done by using the Cancel method on the HttpAuthHandler object.

Please note that this simple approach to pass the username and password information from the browser to the server. There are still other securities areas to be concerned with like encrypting the communication channel to protect the security credentials from unwanted traces.

Thanks for reading.

Originally published by ozkary.com


Post a Comment

What do you think?