From b809226c5b2ef71353e1641d350891698c434049 Mon Sep 17 00:00:00 2001
From: Ugonna Akali <akaliugonna@microsoft.com>
Date: Thu, 9 Oct 2025 12:52:48 -0700
Subject: [PATCH 1/2] deprecate ROPC flow

---
 .../com/microsoft/aad/msal4j/IPublicClientApplication.java  | 6 +++++-
 .../com/microsoft/aad/msal4j/PublicClientApplication.java   | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
index b6a15173..1c65dd80 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
@@ -14,11 +14,15 @@
 public interface IPublicClientApplication extends IClientApplicationBase {
 
     /**
-     * Acquires tokens from the authority configured in the application via Username/Password authentication.
+     * Acquires tokens from the authority configured in the application via Username/Password authentication.<br>
+     * <p><b>Deprecated:</b> This API has been deprecated and will be removed in a future release. Use a more secure flow instead.<br>
+     * See <a href="https://aka.ms/msalnet-ropc-migration">https://aka.ms/msalnet-ropc-migration</a> for migration guidance.
      *
      * @param parameters instance of {@link UserNamePasswordParameters}
      * @return {@link CompletableFuture} containing an {@link IAuthenticationResult}
+     * @deprecated This API not a secure flow and will be removed in a future release.
      */
+    @Deprecated
     CompletableFuture<IAuthenticationResult> acquireToken(UserNamePasswordParameters parameters);
 
     /**
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/PublicClientApplication.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/PublicClientApplication.java
index 99a80d32..1200841c 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/PublicClientApplication.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/PublicClientApplication.java
@@ -24,6 +24,7 @@ public class PublicClientApplication extends AbstractClientApplicationBase imple
     private boolean brokerEnabled;
 
     @Override
+    @Deprecated
     public CompletableFuture<IAuthenticationResult> acquireToken(UserNamePasswordParameters parameters) {
 
         validateNotNull("parameters", parameters);

From 7c675a3ead5c0531c227b52ae73adf4298d6b492 Mon Sep 17 00:00:00 2001
From: Ugonna Akali <akaliugonna@microsoft.com>
Date: Fri, 10 Oct 2025 10:19:31 -0700
Subject: [PATCH 2/2] add additional deprecation comments

---
 .../com/microsoft/aad/msal4j/IPublicClientApplication.java   | 2 +-
 .../com/microsoft/aad/msal4j/UserNamePasswordParameters.java | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
index 1c65dd80..668b6f45 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IPublicClientApplication.java
@@ -16,7 +16,7 @@ public interface IPublicClientApplication extends IClientApplicationBase {
     /**
      * Acquires tokens from the authority configured in the application via Username/Password authentication.<br>
      * <p><b>Deprecated:</b> This API has been deprecated and will be removed in a future release. Use a more secure flow instead.<br>
-     * See <a href="https://aka.ms/msalnet-ropc-migration">https://aka.ms/msalnet-ropc-migration</a> for migration guidance.
+     * See <a href="https://aka.ms/msal-ropc-migration">https://aka.ms/msal-ropc-migration</a> for migration guidance.
      *
      * @param parameters instance of {@link UserNamePasswordParameters}
      * @return {@link CompletableFuture} containing an {@link IAuthenticationResult}
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/UserNamePasswordParameters.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/UserNamePasswordParameters.java
index 12c7b335..d8a3a2d8 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/UserNamePasswordParameters.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/UserNamePasswordParameters.java
@@ -13,8 +13,13 @@
  * Object containing parameters for Username/Password flow. Can be used as parameter to
  * {@link PublicClientApplication#acquireToken(UserNamePasswordParameters)}
  * <p>
+ * <p><b>Deprecated:</b> This class supports the Resource Owner Password Credentials (ROPC) flow,
+ * which is insecure and will be removed in a future release.</p>
+ *
+ * <p>See <a href="https://aka.ms/msal-ropc-migration">https://aka.ms/msal-ropc-migration</a> for migration guidance.</p>
  * For more details, see https://aka.ms/msal4j-username-password
  */
+@Deprecated
 public class UserNamePasswordParameters implements IAcquireTokenParameters {
 
     private Set<String> scopes;