There are a number of concerns with this auth sample.
1) It uses ADAL which is end of life and will not receive any support (including security patches) after June 2022.
2) It uses a urn: redirect URI which is against security best practices, opens possibilities for the redirect URI to be hijacked - it should be using https://login.microsoftonline.com/common/oauth2/nativeclient instead
3) The sample also appears to use device code flow - this is incompatible with IT polices that require managed devices (device Conditional Access policy)
4) I don't quite understand InteractiveADALExchangeGraphTokenForVSTSToken, it seems unnecessary to do AcquireTokenAysnc on a graph resource id before doing a AcquireTokenSilentAsync on a vstsresourceid - what's the rationale here?
Could my team help you modernize this sample?
Saeed Akhter - Lead PM - Microsoft Identity Platform
https://github.com/microsoft/azure-devops-dotnet-samples/blob/5d5e23e7da54ac69d3209f3e5d1f125617dd9881/ClientLibrary/Quickstarts/Auth/InteractiveAuthSample.cs#L30
There are a number of concerns with this auth sample.
1) It uses ADAL which is end of life and will not receive any support (including security patches) after June 2022. 2) It uses a urn: redirect URI which is against security best practices, opens possibilities for the redirect URI to be hijacked - it should be using https://login.microsoftonline.com/common/oauth2/nativeclient instead 3) The sample also appears to use device code flow - this is incompatible with IT polices that require managed devices (device Conditional Access policy) 4) I don't quite understand InteractiveADALExchangeGraphTokenForVSTSToken, it seems unnecessary to do AcquireTokenAysnc on a graph resource id before doing a AcquireTokenSilentAsync on a vstsresourceid - what's the rationale here?
Could my team help you modernize this sample?