Using Client Secret with OAuth 2.0 authorization code flow

Question

Hi Everyone, Happy Friday,

My question for today is, why when using OAuth 2.0 authorization code flow do you need to provide a client secret for a web app?

The application is using Delegated Permisisons thefor only has access to the resources of said signed in user. So why also is a client secret needed? What does that bring to the party?

Does it bring any additional security risks to the mix? i.e. can this client secret then be leaked and used to dynamically request additonal permissions? or will it do nothing because it also needs to be used alongside a set of user credentials?

Many Thanks.

Answer 1

Hi @jabran-corp · Thank you for reaching out.

When a Resource Owner (end user) is authenticated, he gets an Authorization Code from the authorization endpoint. This code is sent to the Client Application (the actual application corresponding to which app registration is done in Azure AD) via user agent (web browser or native app). The Client Application then does a direct communication with the Authorization Server (Azure AD, for example).

1. The client application first authenticates with the Authorization Server, which is why a client secret is required.
2. It then sends the authorization code to the Authorization Server that it received.

Authorization Server sends back the access token and refresh token in response only when it has validated the code and that it is the same application that requested authorization in the first place.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.