The Active Directory App created using visual studio does not have any "Certificate & Secrets".. is this fine?

john john 946 Reputation points
2023-02-04T18:13:06.6466667+00:00

I created a new ASP.NET Core MVC 6.0 web application >> and i define it to use Azure AD for authentication, as follow:-

enter image description here

enter image description here

then i were asked to create owned application, so i created one named "ad" as follow:-

enter image description here

enter image description here

and inside my application's appsetting i got these settings:-

    {
      "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "*****",
        "TenantId": "***",
        "ClientId": "***",
        "CallbackPath": "/signin-oidc"
      },

so seems visual studio did all the work for us.

But when i checked the "Certificate & Secrets" insdie Azure portal, i found that there is not anything assigned:-

enter image description here

So for the purpose to authenticate users inside my asp.net core mvc web application, do we need to add "Certificate" or "Secrets"?

Thanks

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
617 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,196 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,586 questions
Accepted answer
  1. Shweta Mathur 27,786 Reputation points Microsoft Employee
    2023-02-07T06:10:01.6366667+00:00

    Hi @john john ,

    Thanks for reaching out and apologies for delay in response.

    Client secret (application secret) or certificate is required to authenticate the application. The application needs a client secret to prove its identity when requesting a token.

    The recommended approach is to create and upload the self signed certificate which is more secure compared to a secret that can be easily leaked or compromised.

    However, you can store the secret in Azure key vault to make it secure.

    Reference to use two types of authentication : https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#set-up-authentication

    Visual studio also provides a way to set up client secret automatically as well like other values in the portal as below:

    User's image

    Based on the case requirement, you can choose client secret or client certificate. If you only want to authenticate the user, then secret is not required in OAuth2 flows like Resource Owner Password credentials (ROPC) and Implicit Grant flow.

    If you have any other questions, please let us know.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest