InteractiveAuthSample.cs is not following security best practices

[SaeedAkhter-MSFT]

azure-devops-dotnet-samples/ClientLibrary/Quickstarts/Auth/InteractiveAuthSample.cs

Line 30 in 5d5e23e

public IEnumerable<TeamProjectReference> InteractiveADAL(string vstsAccountName, string applicationId)

There are a number of concerns with this auth sample.

1. It uses ADAL which is end of life and will not receive any support (including security patches) after June 2022.
2. It uses a urn: redirect URI which is against security best practices, opens possibilities for the redirect URI to be hijacked - it should be using https://login.microsoftonline.com/common/oauth2/nativeclient instead
3. The sample also appears to use device code flow - this is incompatible with IT polices that require managed devices (device Conditional Access policy)
4. I don't quite understand InteractiveADALExchangeGraphTokenForVSTSToken, it seems unnecessary to do AcquireTokenAysnc on a graph resource id before doing a AcquireTokenSilentAsync on a vstsresourceid - what's the rationale here?

Could my team help you modernize this sample?

• Saeed Akhter - Lead PM - Microsoft Identity Platform