Hello what is the best practice for verifying that an authentication code returned from Azure Active Directory (via ADAL) is valid/not spoofed/etc.? Right now I don't know how to properly keep a user from invoking Https://MY_REPLY_URL/ROUTE/CatchCode?code=SOMEGARBAGEAUTHCODEHERE
There must be a more elegant solution than simply:
if (Request.Query.code == null)return HttpStatusCode.Unauthorized;
try{ //if the code is invalid it will throw an exception
var authenticationResult = authenticationContext.AcquireTokenByAuthorizationCode(authorizationCode, new Uri(AAD.REPLY_URL), clientCredential);
}
catch()
{
// return 401 Forbidden
}
// else use code