Share via

Why the secret of my entreprise application isn't taken in account

Guillaume GRALL 20 Reputation points
2023-08-09T14:38:33.1866667+00:00

Hello, in my enterprise active directory, I have an application on which I've set a secret

When I'm authenticating myself and asking for a token, there is no error message saying the secret is missing in my request

I'm using the OATH 2.0 Device flow, so there is a first API request to
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode?mkt=fr-FR

And then another to retrieve the token
POST https://login.microsoftonline.com/common/oauth2/v2.0/token

In this call I don't send the client_secret parameter but I've got no error
This parameter is documented here https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http#3-request-an-access-token

Is there another step of configuration after having added a secret, or a delay before this is taken in account ?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,482 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 46,316 Reputation points
    2023-08-15T09:12:19.8766667+00:00

    Hi @Guillaume GRALL

    I was just told that client secrets cannot be used in device code flow. Because the device code flow is a native app-specific authentication flow, and a native app (desktop or mobile app) is not a secret app (web app), it cannot use client secrets.

    User's image

    If you want to authenticate your app using client secret, you should create redirect URL under "Web" and use auth code flow to get access token.

    1

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,316 Reputation points
    2023-08-10T07:25:10.3866667+00:00

    Hi @Guillaume GRALL

    If you are using the device code flow to get the token, then you should call the code endpoint first:

    // Line breaks are for legibility only.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile

    Next call the token endpoint:

    POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=6731de76-14a6-49ae-97bc-6eba6914391e&device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8...

    Before that, please go to Azure AD>App registrations>find your app>Authentication, check if your app has disabled public client flow.

    User's image

    Later, when you request an access token, you will get an error if you do not provide a client secret.

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

  2. Guillaume GRALL 20 Reputation points
    2023-08-22T13:04:52.26+00:00

    Thank you CarlZhao-MSFT, this response suits me.

    Have a good day

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.