Update CustomWebUI interface docs with security related caution message

[ashok672]

Added CAUTION alerts to ICustomWebUi documentation warning developers about security risks when using native client redirect URIs (http://localhost and https://login.microsoftonline.com/common/oauth2/nativeclient) with custom web UI implementations. The approach is no longer functional due to eSTS redirecting within 3 seconds to clear the authorization code from the URL, breaking manual code extraction flows. Developers are directed to use Broker authentication (WAM) or embedded browser flow recommended alternatives.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[learn-build-service-prod]

Learn Build status updates of commit a2f68c7:

💡 Validation status: suggestions

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/extensibility-points.md	💡Suggestion	View	Details
dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml	✅Succeeded	View

msal-dotnet-articles/advanced/extensibility-points.md

• Line 22, Column 82: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /aspnet/core/fundamentals/http-requests?view=aspnetcore-6.0
• Line 63, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.abstractacquiretokenparameterbuilder-1.withextraqueryparameters?view=azure-dotnet#microsoft-identity-client-abstractacquiretokenparameterbuilder-1-withextraqueryparameters(system-string)
• Line 78, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[learn-build-service-prod]

Learn Build status updates of commit 93ae232:

💡 Validation status: suggestions

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/extensibility-points.md	💡Suggestion	View	Details
dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml	✅Succeeded	View

msal-dotnet-articles/advanced/extensibility-points.md

• Line 22, Column 82: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /aspnet/core/fundamentals/http-requests?view=aspnetcore-6.0
• Line 63, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.abstractacquiretokenparameterbuilder-1.withextraqueryparameters?view=azure-dotnet#microsoft-identity-client-abstractacquiretokenparameterbuilder-1-withextraqueryparameters(system-string)
• Line 78, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[Dickson-Mwendia]

Hi @ashok672 @iulico-1 , thanks for the updates here.

Just had a quick look, hese are great updates. One callout, though:

I wouldn’t recommend editing the XML files directly in this repo, since they’re auto-generated from the SDK source code. Any changes to the XML docs should be made in the corresponding file in the SDK source repo instead; otherwise, they’ll be overwritten the next time CI regenerates and updates the reference content.

As-is, these updates will get published and show up in the docs, but only until the next refresh auto-generates XML files from source; and everything gets overwritten.

[Dickson-Mwendia]

Added comment on why changes to dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml will get overwritten.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[learn-build-service-prod]

Learn Build status updates of commit 02f2cb9:

💡 Validation status: suggestions

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/extensibility-points.md	💡Suggestion	View	Details
dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml	✅Succeeded	View

msal-dotnet-articles/advanced/extensibility-points.md

• Line 22, Column 82: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /aspnet/core/fundamentals/http-requests?view=aspnetcore-6.0
• Line 63, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.abstractacquiretokenparameterbuilder-1.withextraqueryparameters?view=azure-dotnet#microsoft-identity-client-abstractacquiretokenparameterbuilder-1-withextraqueryparameters(system-string)
• Line 78, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[learn-build-service-prod]

Learn Build status updates of commit 8b69f1f:

💡 Validation status: suggestions

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/extensibility-points.md	💡Suggestion	View	Details
dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml	✅Succeeded	View

msal-dotnet-articles/advanced/extensibility-points.md

• Line 22, Column 82: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /aspnet/core/fundamentals/http-requests?view=aspnetcore-6.0
• Line 63, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.abstractacquiretokenparameterbuilder-1.withextraqueryparameters?view=azure-dotnet#microsoft-identity-client-abstractacquiretokenparameterbuilder-1-withextraqueryparameters(system-string)
• Line 78, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[learn-build-service-prod]

Learn Build status updates of commit e45af06:

💡 Validation status: suggestions

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/extensibility-points.md	💡Suggestion	View	Details
dotnet/xml/Microsoft.Identity.Client.Extensibility/ICustomWebUi.xml	✅Succeeded	View

msal-dotnet-articles/advanced/extensibility-points.md

• Line 22, Column 82: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /aspnet/core/fundamentals/http-requests?view=aspnetcore-6.0
• Line 63, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.abstractacquiretokenparameterbuilder-1.withextraqueryparameters?view=azure-dotnet#microsoft-identity-client-abstractacquiretokenparameterbuilder-1-withextraqueryparameters(system-string)
• Line 78, Column 9: [Suggestion: preserve-view-not-set - See documentation] You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: /dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[ashok672]

Hi @ashok672 @iulico-1 , thanks for the updates here.

Just had a quick look, hese are great updates. One callout, though:

I wouldn’t recommend editing the XML files directly in this repo, since they’re auto-generated from the SDK source code. Any changes to the XML docs should be made in the corresponding file in the SDK source repo instead; otherwise, they’ll be overwritten the next time CI regenerates and updates the reference content.

As-is, these updates will get published and show up in the docs, but only until the next refresh auto-generates XML files from source; and everything gets overwritten.

Thanks for the review and it was helpful. I was not aware of this mechanism. I have updated the MSAL. NET documenation with the same change. Here is the PR for that

AzureAD/microsoft-authentication-library-for-dotnet#5704