Discuss this help topic in SecureBlackbox Forum

OAuth: Use the OAuth client with embedded browser

For the first authorization (when we don't have a refresh token or it is not valid anymore) using the browser, embedded into your application, you need to take the following steps:

  1. Create an instance of TElHTTPSClient class, which will be used as a transport:


    // create and setup the http transport to be used to talk to
    // the authorization server
    TElHTTPSClient oauthTransport = new TElHTTPSClient();
    // assign an event handler to validate SSL certificate(s)
    oauthTransport.OnCertificateValidate += ...;

  2. Create an instance of TElSimpleOAuth2Client class and set all needed parameters using AuthURL, ClientID, ClientSecret, RedirectURL, Scope, TokenURL properties:


    // create a OAuth 2.0 client
    TElSimpleOAuth2Client oauth = new TElSimpleOAuth2Client();
    // assign the created HTTPS transport
    oauth.HTTPClient = https;
    // set the local URL to be used during authorization;
    // the specified port must be free and the application
    // has to be allowed to open a listening socket on that port
    oauth.RedirectURL = @"http://localhost:5050/";
    // authorization server URLs
    oauth.AuthURL = @"https://accounts.google.com/o/oauth2/auth";
    oauth.TokenURL = @"https://accounts.google.com/o/oauth2/token";
    // copy the client id and the client secret of your app
    // registered in Google Developers Console
    oauth.ClientID = @"your_client_id";
    oauth.ClientSecret = @"your_client_secret";
    // tell the authorization server what access is needed
    oauth.Scope = @"https://www.googleapis.com/auth/userinfo.email

  3. Call StartAuthorization() and obtain a text string. This string is the URL of the authorization page, which you need to show to the user in the embedded browser. If you provided a valid RefreshToken and new access token has been retrieved, then this method returns the empty string, which means that you can read AccessToken property and use the acess token in the transport protocol (HTTP, SMTP etc).
  4. If the URL provided is not empty, the application needs to direct the embedded browser to this URL, wait for authentication and obtain the authorization code.

    Retrieval of the authorization code is a heuristic procedure, where you need to analyze browser parameters and the page being shown. For example, Google server shows the web page, that has a title which starts with "Success code=", followed by the authorization code. And if your code analyzes the title, it can retrieve the authorization code automatically.

  5. Call CompleteAuthorization() method and pass it the authorization code. This method will exchange the authorization code to the access token, which the application can use in the transport protocol (HTTP, SMTP etc).. In case of any error the exception will be thrown.
  6. The results of the authentication process are:
    • AccessToken - the access token, which is usually used as a password during further protocol (HTTP, SMTP etc.) connections;
    • ExpiresAt - the date and time (in UTC) when the token becomes invalid. Different servers have different expiration times, from one hour to one year.
    • RefreshToken - the token, which is used to refresh the access token. You need to save it between sessions (application starts) and put back to TElSimpleOAuth2Client on the next start so that the component could retrieve the new access token.

How To articles about client-side OAuth questions

Discuss this help topic in SecureBlackbox Forum