1

I have to build a Windows Service which requires OAuth2 authentication. The service is intended (like all services should be) to run unattended (no user need to be logged in in Windows). The problem is, there is some user interaction required to get the OAuth2 authentication.

The service uses a third party API (I have no control over it) to do some checks, and sends out an email if a check comes back negative. The API requires authentication through a website. The service will run on an "always on" server.

Once authentication is validated, I would have a refresh token to periodically refresh authentication. So no more user interaction should be required after the initial authentication.

I think the best solution is to create a winForm/WPF application which prompts the user to login to the website, install the service and start the service. As said, once authenticated, the service can run unattended since authentication can be periodically refreshed (tokens are saved in an encrypted file). If for some reason authentication is lost, the service can send out an email requesting a user to login and re-authenticate.

I would imagine the following flow:

Flow

Is this an advisable solution, or is there something better? Have I forgotten/missed something?

Improve this question
2
  • Why does your service need to login to the API with the personal account of a user?Can't the service authenticate itself with credentials that belong to the service?
    – Bart van Ingen Schenau
    Commented Jan 12, 2018 at 11:30
  • @BartvanIngenSchenau...Good point. The service will in all likelihood get it's own credentials. I wouldn't want to hardcode those credentials in the sourcecode though. The credentials would also give access to our SVN repositories, for example. Hence, I think it's better to have a user log in. (Additionally, I haven't been able to programmatically login. The steps involved are: 1. User logs in using username/password 2. User gets a PIN code, which is fed back to the application, 3. Application is authorised. Step 1 I haven't been able to do programmatically (yet).)
    – HoneyBadger
    Commented Jan 12, 2018 at 12:26

1 Answer 1

Reset to default
1

OAuth2 of itself doesn't require the whole webpage third party prompts and Multi Factor tokens which are hard to automate.

You can use the password grant type and store a service username and password in your applications config.

However, If you don't control the authentication server and have to get a real person to login then your flow seems a sensible one.

You could potentially improve it by allowing the recipient of the email to complete the authentication process via a website rather than having to interact with the service directly. Perhaps even sending them the URL you get from the auth service.

But this would depend on the details of your implementation

Improve this answer
1
  • Thanks for your clear response. I do not have control of the authentication server, so I think I'll stick to this setup. Since I store the OAUth2 tokens locally (ie on the server where the service will run) in an encrypted file, I don't think a user can do the authentication remotely. This is not really an issue, since the server is 2 doors down the corridor.
    – HoneyBadger
    Commented Jan 12, 2018 at 13:14

Not the answer you're looking for? Browse other questions tagged or ask your own question.