Login to Box Using a Windows Dialog

• Download demo - 169.7 KB

Introduction

Many cloud storage providers like www.box.com use an authentication mechanism that directs you to a WEB page to enter your credential. If you develop a Web based application this is a natural way to do that, but in the case of a desktop application or a windows store App you would want to provide your own login screen that would be a windows form if you are writing a desktop application.

I have searched the forums for a solution to that problem but I failed to find an end to end solution. However some posts guided me to the solution I'm presenting in this article.

The method I describe is valid with the version 1 of the Box API. They have just release a V2 where the authentication mechanism is now using OAuth 2.0, but the current mechanism I describe is still valid.

Remark: You will need to register as a developer with Box.com as this code needs an API_KEY that you obtain after registering. This is a free process. This code uses the discontinued free library BoxSync that implements in C# the Box API v1.

WEB form submission with WebClient

My first solution to enter the credentials in a windows dialog was to put a IE control in a dialog box and pass it the URL of the Box login screen. The drawback of that solution is that once the WEB page displays the successful login, you still need to press the OK button of the dialog box.

The support of Box told me that they don't have any API to authenticate a user with its username/password, so I looked for a solution that would be to automate the login by submitting the authentication form from a C# program. After all, a browser is built on top of HTTP protocols that are accessible to a program using classes like WebRequest or WebClient.

I could find some useful posts that demonstrate how to submit a form using the WebClient client but there is more than just passing the data to the submit call, in the case of a real authentication protocol like the one of Box you need to understand exactly what data they submit to the server when you click Login.

The final code to submit the login form to Box is the following.

public bool AuthenticateUser(string ticket, string userName, string password, out string requestToken)
{
    bool authSuccess = false;
    requestToken = string.Empty;
    string url = string.Format("http://www.box.net/api/1.0/auth/{0}", ticket);

    // Use a WebRequest to process the login
    Stream respStream = ExecuteREST_Request(url, Method.GET);
    StreamReader reader = new StreamReader(respStream);

    string responseText = reader.ReadToEnd();

    requestToken = ExtractRequestToken(responseText);

    using (WebClient webClient = new WebClient())
    {
        try
        {
            NameValueCollection formFields = new NameValueCollection();
            formFields.Add("login", userName);
            formFields.Add("password", password);
            formFields.Add("_pw_sql", "");
            formFields.Add("remember_login", "on");
            formFields.Add("__login", "1");
            formFields.Add("dologin", "1");
            formFields.Add("reg_step", "");
            formFields.Add("submit1", "1");
            formFields.Add("folder", "");
            formFields.Add("skip_framework_login", "1");
            formFields.Add("login_or_register_mode", "login");
            formFields.Add("new_login_or_register_mode", "");
            formFields.Add("request_token", requestToken);

            webClient.Proxy = null;
            string actionUrl = string.Format("https://www.box.net/api/1.0/auth/{0}", ticket);
            byte[] result = webClient.UploadValues(actionUrl, METHOD_POST, formFields);
            string htmlText = ASCIIEncoding.ASCII.GetString(result);

            if (CheckAuthenticated(htmlText))
            {
                authSuccess = true;
            }
            else
            {
                requestToken = ExtractRequestToken(htmlText);
                authSuccess = false;
            }
        }
        catch (WebException ex)
        {
            Trace.WriteLine(ex.Message);
        }
    }

    return authSuccess;
}

If you look at this code, and especially at the part that is preparing the parameters for the submit request, you will notice that there are many more parameters than the user name and password.

That's the interesting part of the problem, when you want to submit a particular form using WebClient for instance, you need to know what the submit request contains exactly when you press the submit button!

Analyzing the submit request

The first step you need to do is to analyze the source of the WEB that contains the Login form. From that source you will extract the URL where to post the data. You'll find this URL in the Action of the form. In the case of Box, the URL is the following one.

https://www.box.net/api/1.0/auth/<ticket>

The ticket is an identification string that you get when initializing the authentication process with Box.

Once you have the URL where to submit the form, you need to identify all the parameters that need to be passed with the request. You can identify them by looking at the source of the page but it may not be easy to rebuild the request and in the case of an authentication, only one bit is enough to fail it.

I used a HTTP debugging tool to see the exact request which is sent to the server. The tool I found is Fiddler Web Debugger that you can download on their web page. This tool proved very useful as it is able to monitor an https request which is what I needed to do as the Box login url is on https.

Using Fiddler configured to monitor the https traffic I could see the exact content of the requested submitted to the Box server for the authentication. I could see that there were many other fields than the user/password and one particularly attracted my attention. This field is request_token and its value is a string token that is different for every login.

Fortunately I could easily find in the source of the page where the value was set and it is in a piece of script. I wrote a simple method to extract that value from the login page and used it to build the parameters.

The last step of this authentication method is to check whether the authentication was successful or not. Once again you need to analyze the response from the request submission in order to know the outcome. In the page that is returned when the operation is successful I found the following string that gives me the proper information: api_auth_success.

So when I submit the form I simply check if that string is present in the response page and I can decide if it is successful or not.

Conclusion

This code only works with the Box login form, however you can apply this method to any form that you need to submit by program. There is no simple way to make this code generic because you need to analyze the source code of the form and even if in some cases it could be totally automated, in the case of Box it would be difficult because of that field that is set by the execution of a script. Another limitation of that method is that it depends on the method used by the builders of the page. If they change something in their page, this code won't work any more. So if suddenly the login doesn't work anymore, the chances are high that they would have changed something in the format of the submit request.

Points of Interest

It took me some time to gather all the knowledge to do this simple login window to authenticate to a Box account, so I think that many readers of CodeProject will find this simple code useful.