Right usage of confidential client flows

• Confidential client flows should only be used on middle-tier applications, and devops. Indeed, confidential clients contain application secrets, and, as a basic security hygiene, the industry considers device apps should not use confidential client flows. There are exceptions though, as there are scnearios for Kiosk mode in WinRT or UWP that requires the client app to execute client credentials grant. WinRT applications should only use APIs for client credential and not the ones that redeem authcode or pass in user assertion.
• Also there are APIs that should only be used in desktop (.NET framework or .NET Core)
  • the GetAuthorizationRequestUrl() API should not be used on WinRT, iOS and Android, as it's only about headless applications (console only without a brower capability), and these platforms have browser capabilities
• The Device Profile API should only be used in desktop, .NET core and UWP

ADAL.NET has been exposing these APIs since version 3.0, even if they should not be used on some devices (Xamarin iOS, Xamarin Android, UWP).

In MSAL.NET the surface API is already cleaner as we only exposed the API that should be used in the right platforms. If/when we release a future major version of ADAL.NET (which would authorize breaking changes to the public API), we would remove the APIs that should not be used. Meanwhile, we have marked these API with [Obsolete] attributes for the platforms where they should not be used, to give developers a chance to move to the right APIs, and in case we would have overlooked a scenario on Android and iOS devices.