Merge branch 'main' into alvinashcraft/main-winappsdk-background-tasks

Author: alvinashcraft

hub/apps/develop/security/index.md

@@ -2,7 +2,7 @@
 title: Security and identity
 description: This article provides an index of development features that are related to security and identity scenarios in Windows apps.
 ms.topic: overview
-ms.date: 09/09/2024
+ms.date: 03/19/2025
 #customer intent: As a Windows developer, I want to learn to use security and identity features available to Windows apps so that I can build more secure apps.
 ---
 
@@ -16,7 +16,11 @@ Windows provides a wide variety of APIs related to security and identity scenari
 
 ### Windows App SDK APIs
 
-The [Windows App SDK](../../windows-app-sdk/index.md) currently does not provide APIs related to security and identity scenarios other than a few helper APIs in the [Microsoft.Windows.Security.AccessControl](/windows/windows-app-sdk/api/winrt/microsoft.windows.security.accesscontrol) namespace. These APIs are related to named object sharing between packaged apps and Win32 applications.
+The [Windows App SDK](../../windows-app-sdk/index.md) provides APIs related to OAuth 2.0 authorization flows. There are also a few helper APIs in the [Microsoft.Windows.Security.AccessControl](/windows/windows-app-sdk/api/winrt/microsoft.windows.security.accesscontrol) namespace. These APIs are related to named object sharing between packaged apps and Win32 applications.
+
+| Article | Description |
+|---------|-------------|
+| [Implement OAuth 2.0 functionality in Windows apps](oauth2.md) | The new OAuth2Manager in Windows App SDK enables desktop applications such as WinUI to seamlessly perform OAuth 2.0 authentication in Windows apps. This article describes how to implement OAuth 2.0 with the Windows App SDK. |
 
 ### WinRT APIs
 
@@ -57,6 +61,8 @@ The .NET SDK also provides APIs related to security and identity scenarios for W
 
 ## Other features
 
+The following articles provide information about features related to security and identity scenarios with passkeys for Windows apps.
+
 | Topic | Description |
 |---------|-------------|
 | [Intro to passkeys](./intro.md) | Passkeys are simpler, stronger, passwordless sign-ins. |

hub/apps/develop/security/oauth2.md

@@ -0,0 +1,318 @@
+---
+title: Implement OAuth 2.0 functionality in Windows apps
+description: Learn how to implement OAuth 2.0 functionality in Windows apps using the Windows App SDK's OAuth2Manager.
+ms.date: 03/19/2025
+ms.topic: concept-article
+keywords: windows, winui, winrt, dotnet, security
+#customer intent: As a Windows app developer, I want to learn how to implement OAuth 2.0 functionality in my app so that I can securely authenticate users and access protected resources.
+---
+
+# Implement OAuth 2.0 functionality in Windows apps
+
+The [OAuth2Manager](/windows/windows-app-sdk/api/winrt/microsoft.security.authentication.oauth.oauth2manager) in Windows App SDK enables desktop applications such as WinUI 3 to seamlessly perform OAuth 2.0 authorization on Windows. **OAuth2Manager** API intentionally doesn't provide APIs for the implicit request and resource owner password credential because of the security concerns that entails. It's recommended to use the authorization code grant type using Proof Key for Code Exchange (PKCE). For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636).
+
+## OAuth background
+
+The Windows Runtime (WinRT) [WebAuthenticationBroker](/uwp/api/windows.security.authentication.web.webauthenticationbroker), primarily designed for UWP apps, presents several challenges when used in desktop apps. Key issues include the dependency on [ApplicationView](/uwp/api/windows.ui.viewmanagement.applicationview), which isn't compatible with desktop app frameworks. As a result, developers are forced to resort to workarounds involving interop interfaces and additional code to implement OAuth 2.0 functionality into WinUI 3 and other desktop apps.
+
+## OAuth2Manager API in Windows App SDK
+
+The **OAuth2Manager** API for Windows App SDK aims to provide a streamlined solution that meets the expectations of developers. It offers seamless OAuth 2.0 capabilities with full feature parity across all Windows platforms supported by Windows App SDK. The new API eliminates the need for cumbersome workarounds and simplifies the process of incorporating OAuth 2.0 functionality into desktop apps.
+
+The **OAuth2Manager** is different than the **WebAuthenticationBroker** in WinRT. It follows OAuth 2.0 best practices more closely - e.g. using the user's default browser. The best practices for the API are taken from the IETF (Internet Engineering Task Force) OAuth 2.0 Authorization Framework [RFC 6749](https://tools.ietf.org/html/rfc6749), PKCE [RFC 7636](https://tools.ietf.org/html/rfc7636), and OAuth 2.0 for Native Apps [RFC 8252](https://tools.ietf.org/html/rfc8252).
+
+## Perform OAuth 2.0 examples
+
+A full WinUI 3 sample app is available on [GitHub](https://github.com/microsoft/WindowsAppSDK-Samples/tree/release/experimental/Samples/OAuth2Manager). The following sections provide code snippets for the most common OAuth 2.0 flows using the **OAuth2Manager** API.
+
+### Authorization code request
+
+The following example demonstrates how to perform an authorization code request using the **OAuth2Manager** in Windows App SDK:
+
+# [C++](#tab/cpp)
+
+```cpp
+// Get the WindowId for the application window
+Microsoft::UI::WindowId parentWindowId = this->AppWindow().Id();
+
+AuthRequestParams authRequestParams = AuthRequestParams::CreateForAuthorizationCodeRequest(L"my_client_id",
+   Uri(L"my-app:/oauth-callback/"));
+authRequestParams.Scope(L"user:email user:birthday");
+
+AuthRequestResult authRequestResult = co_await OAuth2Manager::RequestAuthWithParamsAsync(parentWindowId, 
+   Uri(L"https://my.server.com/oauth/authorize"), authRequestParams);
+if (AuthResponse authResponse = authRequestResult.Response())
+{
+   //To obtain the authorization code
+   //authResponse.Code();
+
+   //To obtain the access token
+   DoTokenExchange(authResponse);
+}
+else
+{
+   AuthFailure authFailure = authRequestResult.Failure();
+   NotifyFailure(authFailure.Error(), authFailure.ErrorDescription());
+}
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+// Get the WindowId for the application window
+Microsoft.UI.WindowId parentWindowId = this.AppWindow.Id;
+
+AuthRequestParams authRequestParams = AuthRequestParams.CreateForAuthorizationCodeRequest("my_client_id",
+   new Uri("my-app:/oauth-callback/"));
+authRequestParams.Scope = "user:email user:birthday";
+
+AuthRequestResult authRequestResult = await OAuth2Manager.RequestAuthWithParamsAsync(parentWindowId, 
+   new Uri("https://my.server.com/oauth/authorize"), authRequestParams);
+
+if (AuthResponse authResponse == authRequestResult.Response)
+{
+   //To obtain the authorization code
+   //authResponse.Code;
+
+   //To obtain the access token
+   DoTokenExchange(authResponse);
+}
+else
+{
+   AuthFailure authFailure = authRequestResult.Failure;
+   NotifyFailure(authFailure.Error, authFailure.ErrorDescription);
+}
+```
+
+---
+
+### Exchange authorization code for access token
+
+The following example demonstrates how to exchange an authorization code for an access token using the **OAuth2Manager**:
+
+# [C++](#tab/cpp)
+
+```cpp
+AuthResponse authResponse = authRequestResult.Response();
+TokenRequestParams tokenRequestParams = TokenRequestParams::CreateForAuthorizationCodeRequest(authResponse);
+ClientAuthentication clientAuth = ClientAuthentication::CreateForBasicAuthorization(L"my_client_id",
+    L"my_client_secret");
+
+TokenRequestResult tokenRequestResult = co_await OAuth2Manager::RequestTokenAsync(
+    Uri(L"https://my.server.com/oauth/token"), tokenRequestParams, clientAuth);
+if (TokenResponse tokenResponse = tokenRequestResult.Response())
+{
+    String accessToken = tokenResponse.AccessToken();
+    String tokenType = tokenResponse.TokenType();
+
+    // RefreshToken string null/empty when not present
+    if (String refreshToken = tokenResponse.RefreshToken(); !refreshToken.empty())
+    {
+        // ExpiresIn is zero when not present
+        DateTime expires = winrt::clock::now();
+        if (String expiresIn = tokenResponse.ExpiresIn(); std::stoi(expiresIn) != 0)
+        {
+            expires += std::chrono::seconds(static_cast<int64_t>(std::stoi(expiresIn)));
+        }
+        else
+        {
+            // Assume a duration of one hour
+            expires += std::chrono::hours(1);
+        }
+
+        //Schedule a refresh of the access token
+        myAppState.ScheduleRefreshAt(expires, refreshToken);
+    }
+
+    // Use the access token for resources
+    DoRequestWithToken(accessToken, tokenType);
+}
+else
+{
+    TokenFailure tokenFailure = tokenRequestResult.Failure();
+    NotifyFailure(tokenFailure.Error(), tokenFailure.ErrorDescription());
+}
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+AuthResponse authResponse = authRequestResult.Response;
+TokenRequestParams tokenRequestParams = TokenRequestParams.CreateForAuthorizationCodeRequest(authResponse);
+ClientAuthentication clientAuth = ClientAuthentication.CreateForBasicAuthorization("my_client_id",
+    "my_client_secret");
+
+TokenRequestResult tokenRequestResult = await OAuth2Manager.RequestTokenAsync(
+    new Uri("https://my.server.com/oauth/token"), tokenRequestParams, clientAuth);
+
+if (TokenResponse tokenResponse == tokenRequestResult.Response)
+{
+    string accessToken = tokenResponse.AccessToken;
+    string tokenType = tokenResponse.TokenType;
+
+    // RefreshToken string null/empty when not present
+    if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
+    {
+        // ExpiresIn is zero when not present
+        DateTime expires = DateTime.Now;
+        if (tokenResponse.ExpiresIn != 0)
+        {
+            expires += TimeSpan.FromSeconds(tokenResponse.ExpiresIn);
+        }
+        else
+        {
+            // Assume a duration of one hour
+            expires += TimeSpan.FromHours(1);
+        }
+
+        //Schedule a refresh of the access token
+        myAppState.ScheduleRefreshAt(expires, tokenResponse.RefreshToken);
+    }
+
+    // Use the access token for resources
+    DoRequestWithToken(accessToken, tokenType);
+}
+else
+{
+    TokenFailure tokenFailure = tokenRequestResult.Failure;
+    NotifyFailure(tokenFailure.Error, tokenFailure.ErrorDescription);
+}
+```
+
+---
+
+### Refresh an access token
+
+The following example shows how to refresh an access token using the **OAuth2Manager**'s [RefreshTokenAsync](/windows/windows-app-sdk/api/winrt/microsoft.security.authentication.oauth.oauth2manager.requesttokenasync) method:
+
+# [C++](#tab/cpp)
+
+```cpp
+TokenRequestParams tokenRequestParams = TokenRequestParams::CreateForRefreshToken(refreshToken);
+ClientAuthentication clientAuth = ClientAuthentication::CreateForBasicAuthorization(L"my_client_id",
+    L"my_client_secret");
+TokenRequestResult tokenRequestResult = co_await OAuth2Manager::RequestTokenAsync(
+    Uri(L"https://my.server.com/oauth/token"), tokenRequestParams, clientAuth));
+if (TokenResponse tokenResponse = tokenRequestResult.Response())
+{
+    UpdateToken(tokenResponse.AccessToken(), tokenResponse.TokenType(), tokenResponse.ExpiresIn());
+
+    //Store new refresh token if present
+    if (String refreshToken = tokenResponse.RefreshToken(); !refreshToken.empty())
+    {
+        // ExpiresIn is zero when not present
+        DateTime expires = winrt::clock::now();
+        if (String expiresInStr = tokenResponse.ExpiresIn(); !expiresInStr.empty())
+        {
+            int expiresIn = std::stoi(expiresInStr);
+            if (expiresIn != 0)
+            {
+                expires += std::chrono::seconds(static_cast<int64_t>(expiresIn));
+            }
+        }
+        else
+        {
+            // Assume a duration of one hour
+            expires += std::chrono::hours(1);
+        }
+
+        //Schedule a refresh of the access token
+        myAppState.ScheduleRefreshAt(expires, refreshToken);
+    }
+}
+else
+{
+    TokenFailure tokenFailure = tokenRequestResult.Failure();
+    NotifyFailure(tokenFailure.Error(), tokenFailure.ErrorDescription());
+}
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+TokenRequestParams tokenRequestParams = TokenRequestParams.CreateForRefreshToken(refreshToken);
+ClientAuthentication clientAuth = ClientAuthentication.CreateForBasicAuthorization("my_client_id",
+    "my_client_secret");
+TokenRequestResult tokenRequestResult = await OAuth2Manager.RequestTokenAsync(
+    new Uri("https://my.server.com/oauth/token"), tokenRequestParams, clientAuth);
+if (TokenResponse tokenResponse == tokenRequestResult.Response)
+{
+    UpdateToken(tokenResponse.AccessToken, tokenResponse.TokenType, tokenResponse.ExpiresIn);
+
+    //Store new refresh token if present
+    if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
+    {
+        // ExpiresIn is zero when not present
+        DateTime expires = DateTime.Now;
+        if (tokenResponse.ExpiresIn != 0)
+        {
+            expires += TimeSpan.FromSeconds(tokenResponse.ExpiresIn);
+        }
+        else
+        {
+            // Assume a duration of one hour
+            expires += TimeSpan.FromHours(1);
+        }
+
+        //Schedule a refresh of the access token
+        myAppState.ScheduleRefreshAt(expires, tokenResponse.RefreshToken);
+    }
+}
+else
+{
+    TokenFailure tokenFailure = tokenRequestResult.Failure;
+    NotifyFailure(tokenFailure.Error, tokenFailure.ErrorDescription);
+}
+```
+
+---
+
+### Complete an authorization request
+
+Finally, to complete an authorization request from a protocol activation, your app should handle the [AppInstance.Activated](/windows/windows-app-sdk/api/winrt/microsoft.windows.applifecycle.appinstance.activated) event. This is required when having custom redirect logic. A full example is available on [GitHub](https://github.com/microsoft/WindowsAppSDK-Samples/tree/release/experimental/Samples/OAuth2Manager).
+
+Use the following code:
+
+# [C++](#tab/cpp)
+
+```cpp
+void App::OnActivated(const IActivatedEventArgs& args)
+{
+    if (args.Kind() == ActivationKind::Protocol)
+    {
+        auto protocolArgs = args.as<ProtocolActivatedEventArgs>();
+        if (OAuth2Manager::CompleteAuthRequest(protocolArgs.Uri()))
+        {
+            TerminateCurrentProcess();
+        }
+
+        DisplayUnhandledMessageToUser();
+    }
+}
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+protected override void OnActivated(IActivatedEventArgs args)
+{
+    if (args.Kind == ActivationKind.Protocol)
+    {
+        ProtocolActivatedEventArgs protocolArgs = args as ProtocolActivatedEventArgs;
+        if (OAuth2Manager.CompleteAuthRequest(protocolArgs.Uri))
+        {
+            TerminateCurrentProcess();
+        }
+
+        DisplayUnhandledMessageToUser();
+    }
+}
+```
+
+---
+
+## Related content
+
+- [WebAuthenticationBroker](/uwp/api/windows.security.authentication.web.webauthenticationbroker)
+- [OAuth2Manager](/windows/windows-app-sdk/api/winrt/microsoft.security.authentication.oauth.oauth2manager)
+- [PKCE RFC 7636](https://tools.ietf.org/html/rfc7636)

hub/apps/toc.yml

@@ -272,6 +272,8 @@ items:
               href: develop/security/credential-locker.md
             - name: Fingerprint biometrics
               href: develop/security/fingerprint-biometrics.md
+            - name: Implement OAuth 2.0 functionality
+              href: develop/security/oauth2.md
             - name: Share certificates between apps
               href: develop/security/share-certificates.md
             - name: Smart cards

hub/apps/windows-app-sdk/migrate-to-windows-app-sdk/api-mapping-table.md

@@ -32,7 +32,7 @@ There are differences in the names of namespaces and classes (including UI contr
 | (**Windows.ApplicationModel.Resources.Core**) [**ResourceQualifierObservableMap.MapChanged**](/uwp/api/windows.applicationmodel.resources.core.resourcequalifierobservablemap.mapchanged) event | Detect environment changes for yourself. See [Resource qualifier value change](guides/mrtcore.md#resource-qualifier-value-change). |
 | (**Windows.Graphics.Printing**) [**PrintManager**](/uwp/api/windows.graphics.printing.printmanager) class | Not supported in Windows App SDK 1.0. |
 | (**Windows.Media.Capture**) [**CameraCaptureUI**](/uwp/api/windows.media.capture.cameracaptureui) class | Not supported in Windows App SDK 1.0. |
-| (**Windows.Security.Authentication.Web**) [**WebAuthenticationBroker**](/uwp/api/windows.security.authentication.web.webauthenticationbroker) class | Not supported in Windows App SDK 1.0. |
+| (**Windows.Security.Authentication.Web**) [**WebAuthenticationBroker**](/uwp/api/windows.security.authentication.web.webauthenticationbroker) class | (**Microsoft.Security.Authentication.OAuth**) [OAuth2Manager](/windows/windows-app-sdk/api/winrt/microsoft.security.authentication.oauth.oauth2manager) class (supported in Windows App SDK 1.7 and later). See [Implement OAuth functionality in Windows apps](/windows/apps/develop/security/oauth2) for more information on using **OAuth2Manager** and related APIs for performing OAuth 2.0 authentication. See [GitHub](https://github.com/microsoft/WindowsAppSDK-Samples/tree/release/experimental/Samples/OAuth2Manager) for a full sample application. |
 | (**Windows.Storage.Pickers**) [**FileOpenPicker**](/uwp/api/windows.storage.pickers.fileopenpicker), [**FileSavePicker**](/uwp/api/windows.storage.pickers.filesavepicker), and [**FolderPicker**](/uwp/api/windows.storage.pickers.folderpicker) classes | Supported, but you must use the [**IInitializeWithWindow**](/windows/win32/api/shobjidl_core/nn-shobjidl_core-iinitializewithwindow) interface. See [MessageDialog, and Pickers](guides/winui3.md#messagedialog-and-pickers). |
 | (**Windows.System.Display**) [**DisplayRequest**](/uwp/api/windows.system.display.displayrequest) class | Not supported in Windows App SDK 1.0. |
 | [**Windows.UI.Composition**](/uwp/api/windows.ui.composition) namespace | [**Microsoft.UI.Composition**](/windows/windows-app-sdk/api/winrt/microsoft.ui.composition) namespace |

hub/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table.md

@@ -25,6 +25,7 @@ This topic compares major feature areas in the different forms in which they app
 | Resources | MRT | MRTCore | For more info, see [MRT to MRTCore migration](guides/mrtcore.md). |
 | .NET Runtime | .NET Native / C# 7 | .NET 6+/C# 9 | The Windows App SDK provides access to the modern .NET runtime, and access to new language features. However, .NET [ReadyToRun compilation](/dotnet/core/deploying/ready-to-run) is not the same as .NET Native, so you should evaluate performance tradeoffs. |
 | 2D Graphics | Win2D | Win2D for WinUI 3 | We're currently working on a version of Win2D that works with the Windows App SDK, in progress. See the [documentation](https://microsoft.github.io/Win2D/WinUI3/html/Introduction.htm) for more information. |
+| Web authentication | WebAuthenticationBroker | OAuth2Manager | The Windows App SDK provides a new API for OAuth 2.0 functionality. See [Implement OAuth functionality in Windows apps](../../develop/security/oauth2.md) for more information. |
 | Windows Runtime components | Windows Runtime component project templates for UWP |-  C++: Use the **Windows Runtime Component (WinUI 3)** project template. <br> - C#: Use C#/WinRT to author Windows Runtime Components in a .NET Class Library. | We're currently working on support to [Author Windows Runtime Components using C#/WinRT](../../develop/platform/csharp-winrt/authoring.md) for use in the Windows App SDK and WinUI 3. |
 
 ## See Also