Single app registration in Azure for mobile app calling own backend

Question

I want to authenticate users with Azure Active Directory (AD) in a mobile app that calls its own REST API and possibly, make it simple.

Looks like the documented way (here or here) to do so is to

1. register the API app with AD, expose some scope(s) as delegated permissions
2. register the mobile app, add these scopes as API permissions to this app
3. require/verify the scope(s) in the API app

Question: I feel that in this simple scenario (API used exclusively by its front-end) both parts of my app should belong into the same "black box" and a single logical "app" entity should be used. I have seen people registering a single app that exposes an API, add a single scope and use the clientID in the configuration of both the front-end as well as the back-end.

Is this a secure setup if client secret is not used?

Can you confirm (or refute) such setup with some authoritative info?

Answer 1

Hi @metalheart ,

Thanks for reaching out.

Yes, it may be possible to use a single app registration for both your mobile app and your API, but it is not the recommended approach from a security perspective.

If you use the same client ID for both the mobile app and the API, any client that knows the client ID can potentially access your API, as they are not required to present any proof of identity or authentication.

Therefore, it is recommended to register separate app registrations for your mobile app and API. Your mobile app registration should be configured with the appropriate API permissions (scopes) to access your API, and your API registration should verify that these scopes are present in the access token that it receives.

Additionally, you should use a client secret to authenticate your API with Azure AD to ensure that only authorized clients with access to the secret can access your API.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.