Web API: Why is it necessary to expose the client secret in my scenario?

JAL 591 Reputation points
2020-10-07T02:01:21.957+00:00

I'm confused about authentication flows.

I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link
https://github.com/swagger-api/swagger-ui/issues/4448

Why unavoidable? Doesn't MSAL provide authentication without exposing a client secret? If so, why can't Swagger do it? Or why can't Swagger use MSAL?

My api is at, say,
myApi.azureWebsites.net
and my swagger at:
myApi.azureWebsites.net/swagger
How is this usually solved? Is there a tutorial on how to make a separate Swagger UI-app, say at
mySwagger.azureWebsites.net
which could forward any request to the backend Api, using httpClient?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,010 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,426 questions
0 comments No comments
{count} votes

Accepted answer
  1. soumi-MSFT 11,786 Reputation points Microsoft Employee
    2020-10-07T05:41:09.103+00:00

    Hi @JAL , thank you for reaching out.

    ClientID and Client Secrets are parameters that are passed to AAD by MSAL, and here if you are using a confidential client (like: WebApp, WebAPI or Daemon/Service) that runs on Azure PaaS Service, or any other secured servers, in that case only the clientID gets exposed by MSAL but not the client secret, as the client secret is passed only in the backchannel to AAD and never directly exposed.

    You can read more on Confidential clients and Public clients here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications

    The rest of the queries related to Swagger, I believe posting a thread on the Swagger forums would be more beneficial to get answers to those.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. JAL 591 Reputation points
    2020-10-07T16:42:47.597+00:00

    Thanks, but I'm a bit slow. MSAL.js uses the clientID to identify the app, no need for client secret. Why can't Swagger do the same? What is different about the Swagger scenario that I'm missing here?

    Here's my understanding of MSAL.js. It redirects to the Active directory URL-plus-clientID where Active D shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user back to my home page URL-plus-token. MSAL.Js extracts the token from the URL.

    I just don't understand why Swagger can't do the same thing.


  2. JAL 591 Reputation points
    2020-10-08T20:22:52.36+00:00

    Right, I did post on a Swagger forum as well, still hoping for a reply.

    Swagger is fairly ubiquitous so I'm still holding out a little hope that someone on this forum has some experience with it.

    0 comments No comments

  3. JAL 591 Reputation points
    2020-10-12T06:05:39.703+00:00

    I'll give you the credit for the answer even though it's not really what I was hoping for.

    0 comments No comments

  4. Mehdi AINS 1 Reputation point
    2022-05-16T16:29:20.05+00:00

    MSAL.js uses authorization code flow + PKCE, hence it does not need client secret.

    You can also use authorization code flow + PKCE with SwashBuckle and hence no client secret will be needed. Make sure you add your redirect URL under Single Page Applications in App Registration.

    Here is the tutorial on using SwashBuckle with authorization code flow + PKCE: https://lurumad.github.io/swagger-ui-with-pkce-using-swashbuckle-asp-net-core

    So, you can use authorization code flow + PKCE even in your Asp.Net web apps without the need of client secrets / certificates.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.