Use client certificate to get access tokens from Azure AD

Azure Active Directory
App Service - Web Apps

Sample code

This article describes how to add client certificate to the Tailspin Surveys sample application.

When using authorization code flow or hybrid flow in OpenID Connect, the client exchanges an authorization code for an access token. During this step, the client has to authenticate itself to the server.

Client secret

Download a Visio file of this architecture.

There are many ways to authenticate the client, using client secret, certificate, and assertions. The Tailspin Surveys application is configured to use client secret by default.

Here is an example request from the client to the IDP, requesting an access token. Note the client_secret parameter.

Content-Type: application/x-www-form-urlencoded


The secret is just a string, so you have to make sure not to leak the value. The best practice is to keep the client secret out of source control. When you deploy to Azure, store the secret in an app setting.

However, anyone with access to the Azure subscription can view the app settings. Furthermore, there is always a temptation to check secrets into source control (for example, in deployment scripts), share them by email, and so on.

For additional security, you can use a client certificate instead of a client secret. The client uses a certificate to prove the token request came from the client. The client certificate is stored in key vault. For this option, add the ClientCertificates under AzureAd and specify the configuration settings as shown here:

   "ClientCertificates": [
        "SourceType": "KeyVault",
        "KeyVaultUrl": "",
        "KeyVaultCertificateName": "MicrosoftIdentityCert"


For more information, see Using certificates with Microsoft.Identity.Web.