Authentication working fine in case of no Client Secret provided

Mahmoud Ismael 26 Reputation points

When I try to send a request to the oauth2 v2.0 token api but I didn't include any the "client_secret" in the body or provided it as empty, the API is working fine.

Am I missing something or this is the expected behaviour ?

I'm asking as it is mentioned in the docs that it is a required to be added in the request body

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
0 comments No comments
{count} vote

Accepted answer
  1. Siva-kumar-selvaraj 15,591 Reputation points

    Hello @Mahmoud Ismael ,

    Thanks for reaching out.

    There are two different type of client applications supported by Azure AD,

    • Confidential client applications
    • Public client applications

    In case of "Confidential client applications" which require "client_secret" during authentication Example: apps that run on servers (web apps, web API apps, or even service/daemon apps) , but for "Public client applications" "client_secret" doesn't require as these apps that run on devices or desktop computers or in a web browser. They're not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (They support only public client flows.) Public clients can't hold configuration-time secrets, so they don't have client secrets.

    To learn more, refer. Hope this helps.

    You can verify "Public client flows" from authentication tag as shown:


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful