Best practice for OAuth/OIDC SSO with WinForms app

We are adding modern authentication (OAuth/OIDC) to an application that currently uses Windows integrated authentation for single sign on. The user signs into Windows workstation and those credentials can be used by many applications with authentication happening transparently over Kerberos.

Our app is a dot net web services based application and we have a client for users with browsers and a desktop client in WinForms. The browser scenario is no issue as the identity provider stores information in the browser that can be reused across applications in a similar way to WIA (IWA), but we are unsure the best way to handle the WinForms desktop application case. Currently the WinForms application opens a browser window to authenticate using the typical browser based method. The details from the identity provider are passed through the browser back to the WinForms app using a redirect and a custom protocol based URL.

This all works fine, but the user experience is not super tight and, for the case where the user is already logged in, requires them to press a button in the browser window as current Chromium based browsers seem unwilling to do a redirect without a recent user interaction.

Is there a better way?

What did you land on in using Winforms?

The method I described seems to be all that is possible at this time. It turns out there is an RFC that describes this method as the “offical” method: RFC8252. We were able to clean it up a fair bit in our released software. In some most cases we can pull the application to the foreground after a button is clicked in the browser and in some cases we can close the browser tab. For those cases that we cannot, we provide a nice set of options for the user so they know why the tab is there.