ESI from WPF callback issue

Hi,

It looks like there has been a change to the way the callback is handled with the ESI.

For my tool, EVE Planetary Planner, I use the ESI to get a character skills and PI setup.

In the past, in my URL, I could add some custom parameters at the end of the callback, and the ESI would work fine on the authentication.

But now it seems that the callback URL need to be a perfect match of what was declared in the ESI application.

This is what I did until now to authenticate the user (which does not work anymore)

First I send a unique code to my webserver to associate the client request with it.
Then I open the browser with the full URL so that the user can authorize my application to get his/her data. That URL contains the callback URL with an extra parameter that is the unique code generated before. (“http://eveplanetaryplanner.com/Callback?id={0}”)
When the authentication is done, the ESI use the callback URL to give me the code (which is now on my server) with the unique code.
Meanwhile my app polls the webserver until a ESI code is associated with the unique code I generated.

This is my code (I removed the part for the code generation/storage on my webserver for clarity)

// Send request to ESI
EsiConfig clientConfig = new EsiConfig(ESI_API.Config);
clientConfig.CallbackUrl = string.Format(clientConfig.CallbackUrl, this._uniqueCode);
this._client = new EsiClient(clientConfig);
// Open URL in default browser
System.Diagnostics.Process.Start(this._client.SSO.CreateAuthenticationUrl(ESI_API.Scopes));
// Then poll until code is returned
Thread thread = new Thread(new ThreadStart(GetCode));
thread.IsBackground = true;
thread.Start();

My problem is that when I open the browser with Process.Start, I lose control of the communication.
So that I cannot intercept the callback and extract the ‘code’ from the return URL.
That is why I am using a controller on my website to retrieve the code and I have to wait with a thread loop until it receives it.

Since the ESI is now more picky about the callback URL, I cannot do this anymore.

Is there a way for me to bypass the polling part?
Meaning that I would like my app to directly receive/intercept the callback.
That way I could get rid of the whole ‘unique code’ generation/polling thing.

How can I open the browser to authentication and still get the code from the ESI in my app directly?

Note: I am use WPF.

In short you need to use the state parameter (preferably with a UUID), instead of the id thing you have now.

state=<something-unique> - Replace all text after the = with a unique string of your choice. state is required by EVE’s SSO to encourage extra security measures. A good explanation about how your application can be more secure with the use of the state parameter can be found here.

For details see: https://github.com/esi/esi-docs/blob/master/docs/sso/native_sso_flow.md

Also, you should probably change to PKCE, so you don’t need to use your web server to auth.
The link above also explain PKCE. It’s much better suited for Desktop applications.

Thanks a lot :slight_smile: