CODEWITHSUNDEEP
azure-active-directory
HankCa
HankCa

Reputation: 9629

Azure AD / MSAL.js - is it safe to include the tenantId?

Is it safe to include the clientId and tenantId in the msal.js implementation? I believe i read Joonas Westlin say that embedding the ClientId is fine (I can't find the post now).

There is a place for it in the library so it seems that it is ok:

this.msal = new UserAgentApplication(
                {
                    auth: {
                        clientId: this.clientId,
                        authority: `https://login.microsoftonline.com/${this.tenantId}`,
                        redirectUri: Uri + "/login",
                    },

However one would think such identifying information is to be kept secret.

Upvotes: 4

Views: 5244

Answers (1)

Rohit Saigal
Rohit Saigal

Reputation: 9664

Short answer: Yes, it's safe to include clientId and tenantId.

Your concern is valid since with JavaScript based applications (like SPA's) any information that you're putting in is potentially exposed to users and can be misused. Although tenantId and clientId aren't such information, client secret or keys would be something sensitive and to be avoided.

tenantId is available publicly anyway as part of the OpenID Discovery document for tenant. You can access it using a URL of this format

https://login.microsoftonline.com/{tenantID or tenantDomain}/v2.0/.well-known/openid-configuration

clientId is an identifier for your app registration. To answer your concern about including it.. clientId alone doesn't establish application's identity, you need to have client secret along with it as well, to be able to use application's identity.

So from a security standpoint any public client application (like a JavaScript based SPA or even a desktop native app) should not make use of client secret, as these applications can not keep it safely and it can get compromised. Secrets can only be handled by confidential clients like server based web application or backend daemon process.

Here is Microsoft guidance for Implicit grant flow which is usually the flow used by JavaScript/SPA apps - Microsoft identity platform and Implicit grant flow

Here is a similar SO post about clientid and tenantId with good explanation - Are the Azure Client Id, Tenant, and Key Vault URI considered secrets?

I couldn't quickly find the post from Joonas Westlin that you mention in question, but Joonas's advice about clientId is correct as usual.

Upvotes: 7

Related Questions