Merge pull request #171451 from maliksahil/pubclientrediruri

PRMerger8 · web-flow · commit 65fe44b6a688 · 2021-09-08T09:25:11.000-07:00
Added information around default redirect uri for public client apps
diff --git a/articles/active-directory/develop/msal-net-instantiate-public-client-config-options.md b/articles/active-directory/develop/msal-net-instantiate-public-client-config-options.md
@@ -28,6 +28,25 @@ Before initializing an application, you first need to [register](quickstart-regi
 - The tenant ID if you are writing a line of business application solely for your organization (also named single-tenant application).
 - For web apps, and sometimes for public client apps (in particular when your app needs to use a broker), you'll have also set the redirectUri where the identity provider will contact back your application with the security tokens.
 
+## Default Reply Uri
+
+In MSAL.NET 4.1+ the default redirect URI (Reply URI) can now be set with the `public PublicClientApplicationBuilder WithDefaultRedirectUri()` method. This method will set the redirect uri property of public client application to the recommended default.
+
+This method's behavior is dependent upon the platform that you are using at the time. Here is a table that describes what redirect uri is set on certain platforms:
+
+Platform  | Redirect URI  
+---------  | --------------
+Desktop app (.NET FW) | `https://login.microsoftonline.com/common/oauth2/nativeclient` 
+UWP | value of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`
+.NET Core | `http://localhost`
+
+For the UWP platform, is enhanced the experience by enabling SSO with the browser by setting the value to the result of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`. 
+
+For .NET Core, MSAL.Net is setting the value to the local host to enable the user to use the system browser for interactive authentication.
+
+> [!NOTE]
+> For embedded browsers in desktop scenarios the redirect uri used is intercepted by MSAL to detect that a response is returned from the identity provider that an auth code has been returned. This uri can therefore be used in any cloud without seeing an actual redirect to that uri. This means you can and should use `https://login.microsoftonline.com/common/oauth2/nativeclient` in any cloud. If you prefer you can also use any other uri as long as you configure the redirect uri correctly with MSAL and in the app registration. Specifying the default Uri in the application registration means there is the least amount of setup in MSAL.
+
 
 A .NET Core console application could have the following *appsettings.json* configuration file:
 
