0

I am learning that there is a big emphasis on “state” or “nonce” parameters:

Difference between OAuth 2.0 "state" and OpenID "nonce" parameter? Why state could not be reused?

At the same time, I understand that Microsoft recommend using MSAL and ASP.NET Core that properly and securely handle Azure AD and B2C protocols.

Do ASP.NET Core and MSAL handles “state” or “nonce” parameters or must developers handle them manually?

I am asking since I don't want to spend efforts to do something that is done better in MSAL.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Allan Xu
  • 7,998
  • 11
  • 51
  • 122

1 Answers1

0

They are automatically handled, by all our supported platforms (.net, java, ios, android, javascript, xamarin).

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • We have a debate in our company over this topic. Is there any Microsoft documentation confirms that MSAL handles state and nonce? – Allan Xu Feb 11 '22 at 19:14