Are Azure Application Client ID's safe to store in the frontend? - McMap

About

Are Azure Application Client ID's safe to store in the frontend?

Asked 5/5, 2020 at 13:10 Answered 5/5, 2020 at 13:17

Solved javascript azure vue.js security single-page-application

O

1

5

On the Microsoft website they have multiple examples on how to use msal to authenticate users to the Azure AD within an SPA. In all these examples the Application (client) ID is stored in plain text in the code or in a simple .json file.

My question, given that everything stored in the front end is considered to be public, is it bad practice to simply store the app configuration like Azure (client) ID in a json file? Or would this be better stored in a .env file?

These are the details the app would need to function:

AZURE_APP_CLIENT_ID=""
AZURE_APP_AUTHORITY=""
AZURE_APP_REDIRECT_URI=""
AZURE_APP_POST_LOGOUT_REDIRECT_URI=""

API_URI=""
API_AZURE_EXPOSED_SCOPE=""

Onslaught answered 5/5, 2020 at 13:10 Comment(0)

S

11

Well, the OAuth RFC defines it as not a secret: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.

The client id will be visible in the URL anyway when the user signs in. Storing it in front-end is totally fine.

All of these things are visible in the URL when the user logs in:

Azure AD tenant id
App client id
Scopes the application is requesting (which can include client ids/app ID URIs of APIs in your AAD)
App redirect URI

Scarper answered 5/5, 2020 at 13:17 Comment(1)

Thanks for the info. That makes things simple so only a .json file will do. Much appreciated. – Onslaught 5/5, 2020 at 13:24

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.