Hi @john john ,
Thanks for reaching out and apologies for delay in response.
Client secret (application secret) or certificate is required to authenticate the application. The application needs a client secret to prove its identity when requesting a token.
The recommended approach is to create and upload the self signed certificate which is more secure compared to a secret that can be easily leaked or compromised.
However, you can store the secret in Azure key vault to make it secure.
Reference to use two types of authentication : https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#set-up-authentication
Visual studio also provides a way to set up client secret automatically as well like other values in the portal as below:
Based on the case requirement, you can choose client secret or client certificate. If you only want to authenticate the user, then secret is not required in OAuth2 flows like Resource Owner Password credentials (ROPC) and Implicit Grant flow.
If you have any other questions, please let us know.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.