Create client credential for Azure AD's App registration

john john 941 Reputation points
2023-02-03T15:04:51.97+00:00

I created a new ASP.NET Core MVC 6.0 web application >> and i define it to use Azure AD for authentication, as follow:-

enter image description here

enter image description here

then i were asked to create owned application, so i created one named "ad" as follow:-

enter image description here

enter image description here

and inside my application's appsetting i got these settings:-

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "*****",
    "TenantId": "***",
    "ClientId": "***",
    "CallbackPath": "/signin-oidc"
  },

so seems visual studio did all the work for us. but when i accessed the "ad" application inside Azure >> i got that this application does not have any client credentials, so is this fine, as follow:-

enter image description here

Second question, if i want to define credentials, seems i have 2 options; create a client secret or certificate. so what are the differences between them? and if we add a client credentials then do we need to update our asp.net application accordingly ?

Thanks

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,162 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,456 Reputation points Microsoft Employee
    2023-02-06T16:05:59.02+00:00

    Hi @john john ,

    Thanks for reaching out and apologies in delay in response.

    These are the basic configuration require to run the webapp to integrate with Azure AD and to authenticate the users in Azure AD.

    There are OAuth2 flows which do not require client secret to authenticate the users and for those flows above configuration will work.

    However, Visual studio also provide the screen to configure the client secret as below :

    User's image

    which will automatically add the secret in the portal.

    You can use both client secret and client certificate to make request securely. However, a client certificate provides stronger security compared to a client secret in certain use cases because:

    1. Identity verification: A client certificate can be used to verify the identity of the client, making it more secure compared to a secret that can be easily leaked or compromised.
    2. Cryptographic strength: Client certificates are typically issued by a trusted certificate authority and are signed using a strong cryptographic algorithm, making it more secure compared to a simple secret that can be easily guessed or stolen.
    3. Non-repudiation: Client certificates can be used to provide non-repudiation, i.e., the client cannot deny having made a particular request, making it more secure compared to a secret that can be easily shared or compromised.

    However, client certificates can be more complex to implement and require additional infrastructure compared to a simple secret, so the choice between the two depends on the specific use case and security requirements.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments
  2. Bruce (SqlWork.com) 55,686 Reputation points
    2023-02-06T16:27:16.8866667+00:00

    if the app just wants to authenticate the user, or just use the users access token, then the app does not need any credentials. but if the app want to make any api calls as itself, then it needs to prove who it is. you can use a secret, which is like a password or use a certificate. you will then update the application code to use the secret or certificate when it calls azure ad to get a an access token for the desired api.

    common case where the app needs its own credentials is using services like a database, or azure key vault, etc.

    0 comments