0

we are developing public client desktop application using uno-platform and we have a requirement to call one of our WEBAPI which is protected with Azure AD.

Using Client credential flow for generating the access token in public client application and the same is being passed in headers as a Bearer token to call WEPAPI.

Code used for generating Token in PublicClient Application:

 string authority = String.Format("https://login.microsoftonline.com/xxxxxxbf-86f1-xxxx-xxxx-2d7cd011db47");
                
string secret = "xxxxxxxx7eCXUMxxxF7GIxxxxxxxvSQkIcxxxxx";
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential clientCredential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("xxxxxxx-7974-xxxx-xxxx-9dd621fxxxxx", secret);
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult authResult = await authContext.AcquireTokenAsync("dd543eda-xxxx-xxxx-xxxx-58ddd58565db", clientCredential);

string token = authResult.AccessToken;

Am able to acquire the token and call my protected webapi successfully.

However, since this going to be public client desktop application , what is the best way to secure my secret ? i cant put it in appsettings.json coz it will be exposed . I cant put in keyvault as well coz i need some other cred to access keyvault.

Any help would be greatly appreciated. thanks

Sri Nivas
  • 7
  • 2
  • Have you tried [OAuth](https://stackoverflow.com/questions/20725062/oauth-secrets-and-desktop-application)? – Chen Aug 26 '22 at 07:32
  • Can we generate token without secret in desktop app and call protected APi? i know we can do this in Azure using Identity. – Sri Nivas Aug 28 '22 at 18:02

1 Answers1

0

A PublicClient is supposed to work without a client_secret, provided you use Authorization Code Grant flow instead of Client-Credentials Flow. But keep in mind, with Authorization-Code Grant Flow, comes the dependency of user interaction. Authorization-Code Grant flow will only work when a user logs into the app interactively.

With Client-Credentials flow to work, it is mandatory to supply the Client-Secret, since it's a required property for Client-Credentials flow to work.

SouravMishra-MSFT
  • 441
  • 4
  • 10
  • Infact user would have already logged into the application have a token generated with graph api scope before we make any protected external web api call. do you have any example of the authorization code workflow. which avoids user interation when calling external apis? – Sri Nivas Oct 12 '22 at 04:04