What is the best way to start an external browser from C# in order to initiate e.g. the OAuth 2.0 authorization code flow?
For example is the following secure enough:
System.Diagnostics.Process.Start(<some url>);
What then if a malicious person has registered his own tool instead of a browser picking up entered credentials?
Highly influenced of how Azure behaves when issuing the following command:
az login
I think it is acceptable to run System.Diagnostics.Process.Start(<some url>);
when initiating an OAuth2 authorization code flow.
Looking at the source code for Azure CLI it turns out that the method PublicClientApplication.acquire_token_interactive
is invoked. PublicClientApplication
is from the MSAL library. Eventually the Python webbrowser.open is invoked which simply evaluates to
p = subprocess.Popen(cmdline)
This is no better than Process.start()
.
Also worth mentioning is that there is no connection between the popped up browser window and the az login
command prompt in the sense that e.g. closing the browser window instead of doing the authorization will not make the az login
continue with an OAuth2 failure - the command prompt will simply hang.