WebAuthenticator for unpackaged apps

[MarcinPawlicaFS]

I am currently developing a MAUI app that's been using your WebAuthenticator, which has been working great since you managed to fix the Okta issue I reported a while back :) We are currently preparing our app for distribution, and since it's gonna be sideloaded (i.e. not published in MS store), and our current users (of a WPF app that we're replacing) are used to a "regular windows installer", we thought we'll follow the same route and publish the app as unpackaged, and then simply prepare a WIX installer. However, it seems that WebAuthenticator has a very strict rule that prevents it from working in unpackaged apps:

if (!Helpers.IsAppPackaged)
{
    throw new InvalidOperationException("The WebAuthenticator requires a packaged app with an AppxManifest");
}

What is the reason for this? Are there some security concerns for unpackaged apps?

[dotMorten]

The reason is it uses the app activation schema you define in the app manifest to redirect you back to the app after signing in to the browser. This is one of the features of packaged apps. It could be done with unpackaged apps but requires registry entries and stuff so not really an easy solution since you’d need an installer to setup and clean up those registries

[MarcinPawlicaFS]

Thank you, I didn't realize unpackaged apps do not support activation schemas out of the box.
In the WPF app we actually host an http server that awaits for the browser callback, maybe we will just need to do the same in the MAUI app. Again, thanks for the explanation.

[dotMorten]

Yes you can totally do something like this. I've experimented with that as well, but did often run into issues with port conflicts and some oauth servers not liking that you use different ports each time.

[SittenSpynne]

@dotMorten Is there some documentation I could go read about those registry entries? Do you think it'd be possible for me to make a fork of WebAuthenticator work with it, or would it require doing a lot of stuff on my end, too?

I'm already building an MSI installer so setting up some registry keys won't be an issue.

[dotMorten]

I'm not sure - I haven't delved into that at all. All I know is I've seen unpackaged apps do this, so I know it's possible, but messing with registry entries gets messy - especially ensuring they get removed on app-uninstall etc.
Requiring packaging is definitely one of the biggest shortcomings of the WebAuthenticator, and one of the arguments I'm using trying to convince Microsoft to port the WebAuthenticationBroker over to the WindowsAppSDK.
The alternative is you just do a webview in a window and sign in inside the app. That's not quite the best security practice, but really only applies if you're building an app for users who might not trust you or know who you are (ie mainly consumer apps).

[SittenSpynne]

That's fair. It seems like this might be the roadblock that's convincing our client to let us give them an MSIX, so the problem might solve itself.