azuread/msal-auth-code-flow
.github/skills/msal-auth-code-flow/SKILL.md
Authorization Code Flow for web applications using MSAL.NET confidential client to sign in users and access APIs on their behalf
$ install --global
skillsauthnpx skillsauth add azuread/microsoft-authentication-library-for-dotnet msal-auth-code-flowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 5:36 PM37.1s1 file scanned
SKILL.md
- name:
- msal-auth-code-flow
- description:
- Authorization Code Flow for web applications using MSAL.NET confidential client to sign in users and access APIs on their behalf
Authorization Code Flow Skill
Overview
Authorization Code Flow is used by web applications to authenticate users and obtain access tokens on their behalf.
When to Use
- Web applications with server-side backend
- Need to access user-scoped APIs
- User sign-in required
- Refresh tokens needed
Flow Steps
- Redirect user to AAD login page
- User logs in and consents to permissions
- AAD returns authorization code to callback URL
- Server exchanges code for token using confidential credentials
- Token cached and used to access APIs
Agent Actions
Generate Code Snippet
Agent can show code snippets for each credential type:
- Standard Certificate: with-certificate.cs
- Certificate with SNI: with-certificate-sni.cs
- Federated Identity Credentials: with-federated-identity-credentials.cs
Setup Guidance
Reference appropriate credential setup:
- Certificate Setup
- Certificate with SNI
- Federated Identity Credentials
Example: Web Application with Certificate
// In controller's callback method
[HttpGet("auth/callback")]
public async Task HandleCallback(string code, string state)
{
// See: with-certificate.cs for credential setup
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithCertificate(cert)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
.WithRedirectUri("https://myapp.com/auth/callback")
.Build();
var result = await app.AcquireTokenByAuthorizationCode(
new[] { "scope-uri" },
code)
.ExecuteAsync();
// Result contains AccessToken, RefreshToken, ExpiresOn
}
Error Resolution
Refer to Troubleshooting Guide
Best Practices
- Use Token Caching Strategies for optimal token acquisition
- Implement Error Handling Patterns
- Store refresh tokens securely
- Use PKCE for native clients
- For advanced caching options including distributed caches for multi-instance deployments, see Token cache serialization documentation
Explain the Flow
- Initiation: Redirect to
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=...&redirect_uri=... - User Action: User logs in and grants consent
- Code Reception: AAD sends authorization code to redirect URI
- Token Exchange: Server uses code + client credentials to get token
- Token Usage: Token cached and used for API calls
Decision Help
Choose Auth Code Flow if:
- Building web application with server backend
- Need to access user resources with user consent
- Want to maintain long-lived sessions (using refresh tokens)
Avoid if:
- Building single-page app (use implicit/hybrid instead)
- Don't have secure backend for credentials
Related Skills
azuread/msal-client-credentials
tools
VerifiedTrustedCommunity
Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
1,493SKILL.mdUpdated Apr 16, 2026
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026