Login with WebBrowser control in WPF desktop application

We have a WPF desktop application that has a dialog with WebBrowser control that is used to authenticate the user, the sequence is like this:

  1. Navigate to Okta login page
  2. Let user enter his/her credentials and click login
  3. Catch when navigation is completed (and user is authenticated) and grab the cookie of our XXX.oktapreview.com site with InternetGetCookieEx (tried all options with HttpOnly, Third Party and combination)
  4. Store the cookie in cookies container in memory (replacing “;” with “,” due to incompatibility between output of InternetGetCookieEx and input of CookieContainer.SetCookies.
  5. Once time comes to renew the token (10 minutes for example), the request is made again with the cookie container and error returned is login_required with description: The client specified not to prompt, but the user is not logged in.

The funniest part is it sometimes works, without any specific change in Internet Explorer or in the code, which makes it even more frustrating.

Anyone stumbled upon such issue by chance?


P.S. I can say that when it works, I see 2 extra cookies: sid and JSESSIONID. When it doesn’t work - those cookies do not present. I couldn’t find any correlation when they are added and when they are not (not related to the checkbox “Save credentials” at all)

Hey @stpatrick! Quick clarification: Is the entire WPF application a web view, or are you just showing a web view when signing the user in? After signing in, what kinds of requests are you making with the cookie you are currently grabbing?

For a desktop application that needs to keep the user signed in, you should use the authorization code flow with PKCE to get access and refresh tokens that can be stored long-term on the device. However, I’ll need to understand your answer to the above questions before 100% recommending this path.

1 Like

Thank you for answer, Nate. We just showing a web view to sign the user in and the rest of application is pure .NET and all calls are made with System.Net.Http.HttpClient, where we pass authentication token received from login process.
After login, we store cookies in CookieContainer and use that container to get a new token when it is expired (10 minutes in our case) - this is where we get the login_required error.

We definitely not doing the flow you mentioned, will try to see if we can incorporate it in our process.