This repository has been archived by the owner on Jun 30, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 214
Right usage of confidential client flows
Jean-Marc Prieur edited this page Nov 1, 2018
·
7 revisions
- Confidential client flows should only be used on middle-tier applications, and devops. Indeed, confidential clients contain application secrets, and, as a basic security hygiene, the industry considers device apps should not use confidential client flows. There are exceptions though, as there are scnearios for Kiosk mode in WinRT or UWP that requires the client app to execute client credentials grant. WinRT applications should only use APIs for client credential and not the ones that redeem authcode or pass in user assertion.
- Also there are APIs that should only be used in desktop (.NET framework or .NET Core)
- the GetAuthorizationRequestUrl() API should not be used on WinRT, iOS and Android, as it's only about headless applications (console only without a brower capability), and these platforms have browser capabilities
- The Device Profile API should only be used in desktop, .NET core and UWP
ADAL.NET has been exposing these APIs since version 3.0, even if they should not be used on some devices (Xamarin iOS, Xamarin Android, UWP).
In MSAL.NET the surface API is already cleaner as we only exposed the API that should be used in the right platforms. If/when we release a future major version of ADAL.NET (which would authorize breaking changes to the public API), we would remove the APIs that should not be used. Meanwhile, we have marked these API with [Obsolete] attributes for the platforms where they should not be used, to give developers a chance to move to the right APIs, and in case we would have overlooked a scenario on Android and iOS devices.
- Home
- Why use ADAL.NET?
- Register your app with AAD
- AuthenticationContext
- Acquiring Tokens
- Calling a protected API
- Acquiring a token interactively
- Acquiring tokens silently
- Using Device Code Flow
- Using Embedded Webview and System Browser in ADAL.NET and MSAL.NET
- With no user
- In the name of a user
- on behalf of (Service to service calls)
- by authorization code (Web Apps)
- Use async controller actions
- Exception types
- using Broker on iOS and Android
- Logging
- Token Cache serialization
- User management
- Using ADAL with a proxy
- Authentication context in multi-tenant scenarios
- Troubleshooting MFA in a WebApp or Web API
- Provide your own HttpClient
- iOS Keychain Access