public AdalServiceAuthorizer() { try { // Use AuthenticationParameters to send a request to the RP and receive tenant information in the 401 challenge. AuthenticationParameters parameters = AuthenticationParameters.CreateFromResourceUrl(new Uri(_resourceBaseAddress + "ExpenseService.svc")); _authority = parameters.Authority; // validate resourceId that is obtained in a 401 challenge out of band to mitigate attacks from a malicious RP impersonating as a valid RP. // here we are doing a sanity check by verifying that the resourceId is bound to the physical address of the resource if (parameters.Resource.Contains(this._resourceBaseAddress.Host)) { _resourceAppIdUri = parameters.Resource; } else { throw new Exception(string.Format("The resource obtained in 401 challenge, {0}, is not bound to the resource's physical address, {1}", parameters.Resource, this._resourceBaseAddress)); } // Initialize the AuthenticationContext by providing the tenant authority endpoint. // By default, address validation of the authority endpoint is on. Always validate the tenant endpoint that's received in 401 challenge. // CredManCache is a custom cache that uses windows Credential Manager to manage the token cache. // When the authority is ADFS, apps must do authority validation out of band, so pass false as the second parameter in the below constructor. _authenticationContext = new AuthenticationContext(_authority, new CredManCache()); } catch (Exception e) { MessageBox.Show("401 discovery failed ", e.Message); return; } }