RI Browser Token Expiration Handling Work Flow in WAC

RI Browser Token Expiration Handling Work Flow in WAC

Overview:

AUTHNCLI-862: SPIKE- Research on RI (browser) Token expiration handling

A feature to handle RI (Browser) token expiration handling to handle RI session after closing the browser in a current WAC user’s session.

This document elaborate the work flow for RI Browser Token Expiration Handling in WAC.

Initial Step: When we store the URL and token in the program data file, we should also save the encrypted username and password to that file.

Browser Launcher Steps:

• Get a token, username, and password from the program data file.

• Delete the program data file from where we get user details because of security reason.

• Save encrypted username and password with target string (through which we get username and password) to WinCred.

• After successfully saving data, Follow existing process for opening RI tenant.

Protocol Handler Workflow:

1. Initial setup: Get username and password using the target string from WinCred, decrypt data, and use username and password API’s to get a claim string through which we get a token.

2. Installer Configuration: The installer needs to register the custom protocol (httpsri) in the system and associate it with exe file and this registration allows the Protocol Handler to be triggered whenever a URL with the custom protocol (e.g., httpsri//) which, when clicked, triggers the Protocol Handler.

3. Link Creation: The installer should create a shortcut on the desktop that uses the custom protocol which, when clicked, triggers the Protocol Handler.  

Custom Protocol Handler Explanation:

• Custom Protocol Handler: These are user-defined protocols that are not part of the standard web protocols like http, https, ftp, etc. They are created to allow specific applications or executables to handle certain types of links.

• Purpose of Custom Protocol Handler: You might create a custom protocol, such as httpsri, to make your system recognize and handle a special type of URL. For instance, when a URL starting with httpsri:// is clicked, instead of opening in a web browser, it would trigger a specific program or exe that you've defined to handle this protocol.

Points to be remembered while implementation:

• Browser Launcher would decrypt the data for the current user from the file location, then remove that data from the file location while storing it in WinCred.

  • We could have it also store the token then launch Protocol Handler instead of the default browser + token

    • in this scenario, the protocol handler would see the token, delete it, then use it the first time

    • subsequent launches, proceed with workflow as described

  • We could have the current behavior of browser launcher launch the browser directly the first time

• Protocol Handler only retrieves the data from WinCred and launches the default browser URL https - the installed handler link on the desktop would need to be a url like httpsri

• The installer will need to add a protocol handler label httpsri linked to the exe.

Demo/ Working after Implementation:

Demo Video for WAC Token Expiration