25,191 questions
Can I use someone else's Azure Application to login? Can I share my client_secret with my users?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 65%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
fantabos.co
1
Reputation point
I'm trying to update my Minecraft script, but with Microsoft account forced migration I can't login anymore and thus my script can't join any server. I'm trying to implement the OAuth flow, but I would need to embed my application credentials in my software (client_id and client_secret)
Why would I use a specific application to login? Can I login on any Azure application? What would be the drawbacks of this? I can't seem to find logs or any information about users who logged with my application. Why should I maintain my application when I could just use the device login flow (/devicecode) with a random client_id found on the internet? The owner of that app would not be able to even find my users logins on his application. Am I wrong?
Expanding on this, why would I need to protect my application? The trusted agent is Microsoft, not my application. My application trusts Microsoft, not the other way around. Thus my application is not a trusted agent. Why would I need to protect its identity? What malicious activity can users do with my application client_secret? Login to Microsoft via my application?
Can't I just share my client_id and client_secret freely to allow users of my opensource project to personally review how they will authenticate and then use my application if they don't want to register one themselves?
Basically, why do I need to maintain a separate authority my users will login onto? I am not an authority, Microsoft is, my users should login directly to Microsoft without need to trust a third party (me and my application). I am a random guy on the internet, I am not an authority! I cannot become a trusted party, my software is trusted because you can review its code, but the new authentication flow requires me to keep part of the authentication software closed source (the part handling client_id and client_secret). Can I just use someone else's application (maybe Minecraft's?) or share my client_secret?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator2022-02-21T19:39:18.747+00:00 @fantabos.co , I understand you have a query where you would like to know why client secret and client Id of your application needs to be secured and why you cant share it with your users. ClientId is an application identity that you create within Azure AD and Client_secret is like password for this application identity When we create the application identity, we provide the application some API permissions for different operations like being able to read user profile info which may help fetch the user details within your application . If you share the client_id and client_secret to the users of your application or hardcode these within your application , you user can get the application identity details and using that the user can query any detail which is permitted thus collecting user information . For example , if you provide Directory.readall permission on Microsoft graph API to this application , using the application client_id and client_secret any of your users can dump the information about all of your users. Azure AD is like a user directory for you . Your application's users are your customer so if you provide client_id and client_secret , you are basically handing over the keys to your user store to the unknown user which can dump your application's customer/user base and o anything with that info . Hope this helps explain why its important to deal with client_id and client_secret with utmost safety . Also you can not use someone else's client_id and secret in your application as it may not work as intended . Let us know in case of further queries.
Sign in to comment
Sign in to answer