Azure AD App registration with multiple CLIENT_SECRETS

Mota, Antonio 21 Reputation points
2020-11-26T14:46:47.623+00:00

Hi all.

I have this situation where I want to enable access to an application (via API, not with signed users) by getting tokens passing a CLIENT_ID, a CLIENT_SECRET and a RESOURCE.

This works fine but my case is to provide this access to different parties, so I created multiple CLIENT_SECRETs in my app hoping that the returning token will have some claim that will differentiate the tokens fro different secrets, either a default claim or a optional one.

But it seems it's not the case, all tokens have exactly the same content (except the timestamps and opaque strings)

So my question is basically, how can I differentiate tokens for the same app and resource coming from assigned to different parties?

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,395 questions
{count} votes

Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-11-26T16:03:06.837+00:00

    Hello @Mota, Antonio , thank you for reaching out. If I understand you correctly, you have registered a single application in AAD and for that App Registration, you have created multiple Client_Secrets each for a separate application code that would be referencing the same App Registration in AAD.

    In such a setup, it is not possible to figure out which application code, actually initiated the request for the token, the reason being, in the request that the app code sends to AAD, would only have the client_id and one of the available client_secrets from the list of client_secrets you created. When this request reaches AAD, AAD would validate the request only by looking at the client_id and the client_secret and if those two are valid, AAD would issue you an access_token. AAD has no means to capture the information as to which app code of yours has fired this request and hence the access_token would only contain the name of the App Registration and the App_Id and
    nothing else.

    In case you would like to figure out from which code instance you received AAD received the request by looking into the access_token, in that case, you would have to create separate App_Registrations, and that App_Registrations name and App_id would be listed in the access_token under the app_displayName and appId keys

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Vasil Michev 95,071 Reputation points MVP
    2020-11-26T15:28:49.043+00:00

    There's no way to differentiate between multiple client secrets, if that's your goal best register multiple applications.

    0 comments No comments

  2. Mota, Antonio 21 Reputation points
    2020-11-26T19:18:57.237+00:00

    Hi guys, many thanks for the replies. It's a little different of what I describe, I do have one backend application deployed in Azure, and I created an app registration for it. But there are no specific "client" applications, we just expose the APIs and different customers can do whatever they see fit - invoking the APIs directly using curl, or via swagger or postman, or even creating automated processes or full fledged applications to invoke those APIs...

    But I just tested and indeed creating a "app registration" on AD without having a "real app" behind it is enough to our use case, we just have to create a registration for each customer that uses the app and give then their unique clientId/secret.

    Thanks again for your replies.


  3. John G 1 Reputation point
    2021-05-10T16:55:35.323+00:00

    HI @Mota, Antonio , can you share how you managed to have your "one backend application deployed in Azure" allow access to multiple clients/app registrations? I have been trying to do exactly same thing as above BUT I can't see how to allow more than one client to access the app. For example, a typical azure app has a config section like:
    "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "qualified.domain.name",
    "TenantId": "22222222-2222-2222-2222-222222222222",
    "ClientId": "11111111-1111-1111-11111111111111111",
    "CallbackPath": "/signin-oidc"
    },
    So only 1 client Id is possible