question

MotaAntonio-7713 avatar image
0 Votes"
MotaAntonio-7713 asked ArthurD-2843 answered

Azure AD App registration with multiple CLIENT_SECRETS

Hi all.

I have this situation where I want to enable access to an application (via API, not with signed users) by getting tokens passing a CLIENT_ID, a CLIENT_SECRET and a RESOURCE.

This works fine but my case is to provide this access to different parties, so I created multiple CLIENT_SECRETs in my app hoping that the returning token will have some claim that will differentiate the tokens fro different secrets, either a default claim or a optional one.

But it seems it's not the case, all tokens have exactly the same content (except the timestamps and opaque strings)

So my question is basically, how can I differentiate tokens for the same app and resource coming from assigned to different parties?

Thanks in advance.

azure-active-directoryazure-ad-app-registration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

Hello @MotaAntonio-7713, thank you for reaching out. If I understand you correctly, you have registered a single application in AAD and for that App Registration, you have created multiple Client_Secrets each for a separate application code that would be referencing the same App Registration in AAD.

In such a setup, it is not possible to figure out which application code, actually initiated the request for the token, the reason being, in the request that the app code sends to AAD, would only have the client_id and one of the available client_secrets from the list of client_secrets you created. When this request reaches AAD, AAD would validate the request only by looking at the client_id and the client_secret and if those two are valid, AAD would issue you an access_token. AAD has no means to capture the information as to which app code of yours has fired this request and hence the access_token would only contain the name of the App Registration and the App_Id and
nothing else.

In case you would like to figure out from which code instance you received AAD received the request by looking into the access_token, in that case, you would have to create separate App_Registrations, and that App_Registrations name and App_id would be listed in the access_token under the app_displayName and appId keys

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered

There's no way to differentiate between multiple client secrets, if that's your goal best register multiple applications.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotaAntonio-7713 avatar image
0 Votes"
MotaAntonio-7713 answered soumi-MSFT commented

Hi guys, many thanks for the replies. It's a little different of what I describe, I do have one backend application deployed in Azure, and I created an app registration for it. But there are no specific "client" applications, we just expose the APIs and different customers can do whatever they see fit - invoking the APIs directly using curl, or via swagger or postman, or even creating automated processes or full fledged applications to invoke those APIs...

But I just tested and indeed creating a "app registration" on AD without having a "real app" behind it is enough to our use case, we just have to create a registration for each customer that uses the app and give then their unique clientId/secret.

Thanks again for your replies.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @MotaAntonio-7713 , you are absolutely correct. Once you have exposed your api and registered it in Azure AD, it means that the API is now AAD Protected. Henceforth whenever you would try to access this AAD Protected API, you would need to fetch a token from AAD to access it further.

Now, all the front-end apps that would be calling your exposed customer AAD protected API, would need to be registered in AAD separately and these front-end apps using their unique AppId and App_secrect would authenticate with AAD first and then fetch a token to access your custom API.

0 Votes 0 ·
ArthurD-2843 avatar image
0 Votes"
ArthurD-2843 answered ArthurD-2843 edited

HI @MotaAntonio-7713 , can you share how you managed to have your "one backend application deployed in Azure" allow access to multiple clients/app registrations? I have been trying to do exactly same thing as above BUT I can't see how to allow more than one client to access the app. For example, a typical azure app has a config section like:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "qualified.domain.name",
"TenantId": "22222222-2222-2222-2222-222222222222",
"ClientId": "11111111-1111-1111-11111111111111111",
"CallbackPath": "/signin-oidc"
},
So only 1 client Id is possible

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.