question

MahmoudIsmael-9911 avatar image
0 Votes"
MahmoudIsmael-9911 asked sikumars-msft answered

Authentication working fine in case of no Client Secret provided

When I try to send a request to the oauth2 v2.0 token api but I didn't include any the "client_secret" in the body or provided it as empty, the API is working fine.

Am I missing something or this is the expected behaviour ?

I'm asking as it is mentioned in the docs that it is a required to be added in the request body

azure-ad-connectazure-ad-app-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered

Hello @MahmoudIsmael-9911 ,

Thanks for reaching out.

There are two different type of client applications supported by Azure AD,

  • Confidential client applications

  • Public client applications

In case of "Confidential client applications" which require "client_secret" during authentication Example: apps that run on servers (web apps, web API apps, or even service/daemon apps) , but for "Public client applications" "client_secret" doesn't require as these apps that run on devices or desktop computers or in a web browser. They're not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (They support only public client flows.) Public clients can't hold configuration-time secrets, so they don't have client secrets.

To learn more, refer. Hope this helps.

You can verify "Public client flows" from authentication tag as shown:

131615-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




image.png (104.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.