Expiring AzureAD Client secret with implicit and hybrid flow

Saravanakumar Balachandran 45 Reputation points
2023-09-20T21:21:55.56+00:00

Our AzureAD Client secret is going to expire soon and we already created a new client secret but have not deleted the expiring one yet. It is used to authenticate our .Net core Web application.

We store Clientid, TenantId, domain etc. in appsettings.json and authenticate it using OpenIdConnectDefaults.AuthenticationScheme with Microsoft Identity platform (i.e. using .AddMicrosoftIdentityWebApp AzureAD configuration binding). We currently do not hardcode or specify the ClientSecret in our application or using any keyvault storage.

This is the screenshot of our Azure AD authentication set up which uses ID tokens (Implicit and hybrid flows option). It also does not allow public client flow.

User's image

If we delete the expiring secret now or let it expire next week, Do we need to make any change in the application or ID tokens (implicit and hybrid flow) option even require a client secret? Kindly appreciate your response.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Developer technologies | ASP.NET | ASP.NET Core
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,591 Reputation points MVP
    2023-09-20T23:41:41.27+00:00

    Hello

    As i can see , you are using the Implicit and Hybrid flows for authentication. Neither the Implicit nor the Hybrid flow requires a client secret when you're just using them for authentication (i.e., getting an ID token). They are designed to work for public clients where the application can't safely store a client secret, such as Single Page Applications (SPAs) running in a browser.

    If your application is not using the client secret (and it's not hardcoded anywhere, nor stored in configurations or app settings), and you are solely relying on Implicit or Hybrid flows for authentication, then you should not experience any issues when the client secret expires or if you delete it.

    To learn who the user is before redeeming an authorization code, it's common for applications to also request an ID token when they request the authorization code. This approach is called the hybrid flow because it mixes OIDC with the OAuth2 authorization code flow.

    The hybrid flow is commonly used in web apps to render a page for a user without blocking on code redemption, notably in ASP.NET. Both single-page apps and traditional web apps benefit from reduced latency in this model.

    The hybrid flow is the same as the authorization code flow described earlier but with three additions. All of these additions are required to request an ID token: new scopes, a new response_type, and a new nonce query parameter.

    User's image

    Links :

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow


    I hope this helps!

    Kindly mark the answer as Accepted and upvote or post your feedback to provide additional help!

    Regards !

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.