Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,20 @@
MSAL.NET provides an embedded web view for Windows and Mac, but there are other scenarios not yet supported.
This extensibility point enables them to provide such UI in a secure way
</summary>
<remarks>To be added.</remarks>
<remarks>
<format type="text/markdown"><![CDATA[
> [!CAUTION]
> **ICustomWebUi is not recommended for production use due to security risks and current service limitations.**
>
> - **Security Risk**: Using native client redirect URIs (like `http://localhost` or `https://login.microsoftonline.com/common/oauth2/nativeclient`) with custom web UI implementations poses significant security risks and is generally not recommended for production applications.
> - **Service Issue**: This approach typically requires users to manually copy the authorization code from the URL—an anti-pattern most commonly seen with the `nativeclient` URI. This pattern will not work in most configurations and poses security risks.
Comment thread
ashok672 marked this conversation as resolved.
Outdated
Comment thread
ashok672 marked this conversation as resolved.
Outdated
> - **Recommended Alternatives**:
> - **Use [Broker authentication (WAM)](https://learn.microsoft.com/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam)** for Windows 10+ applications - provides the best security and user experience
> - **Use embedded browser flow** as described in [Using web browsers](https://learn.microsoft.com/entra/msal/dotnet/acquiring-tokens/using-web-browsers)

This interface should only be used for testing or legacy scenarios where migration is not yet possible.
Comment thread
ashok672 marked this conversation as resolved.
Outdated
]]></format>
</remarks>
</Docs>
<Members>
<Member MemberName="AcquireAuthorizationCodeAsync">
Expand Down
11 changes: 10 additions & 1 deletion msal-dotnet-articles/advanced/extensibility-points.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,15 @@ Details [here](/dotnet/api/microsoft.identity.client.abstractacquiretokenparamet

## Desktop / Mobile Apps - ICustomWebUi

Allows desktop and mobile apps to use their own browser instead of the embedded / system browsers provided by MSAL.
> [!CAUTION]
> **ICustomWebUi is not recommended for production use due to security risks and current service limitations.**
>
> - **Security Risk**: Using native client redirect URIs (like `http://localhost` or `https://login.microsoftonline.com/common/oauth2/nativeclient`) with custom web UI implementations poses significant security risks and is generally not recommended for production applications.
> - **Service Issue**: This approach typically requires users to manually copy the authorization code from the URL—an anti-pattern most commonly seen with the `nativeclient` URI. This pattern will not work in most configurations and poses security risks.
> - **Recommended Alternatives**:
> - **Use [Broker authentication (WAM)](../acquiring-tokens/desktop-mobile/wam.md)** for Windows 10+ applications - provides the best security and user experience
> - **Use embedded browser flow** as described in [Using web browsers](../acquiring-tokens/using-web-browsers.md)

While ICustomWebUi allows desktop and mobile apps to use their own browser instead of the embedded / system browsers provided by MSAL, it should only be used for testing or legacy scenarios where migration is not yet possible.

Details [here](/dotnet/api/microsoft.identity.client.extensibility.icustomwebui?view=azure-dotnet)