Are Azure Active Directory's TenantID and ClientID considered secrets?

Question

For testing purposes I've created an ASP.NET Core MVC app in VS2019 and added authentication "Cloud - Single organization". As part of the creation process, VS registered an app in my subscription's Azure AD and allowed me to login with the users stored in there.

I then created another app registration in a different subscription and changed the MVC app's 'app settings.json' to contain the other subscription's app credentials:

• Domain
• TenantId
• ClientId

And now I could login with users stored in the other subscription's directory.

My question is: if I push my MVC app to a public git repo, should I consider the above credentials secrets and remove them before committing?

There's no real danger in my opinion but on the other hand it feels wrong to expose them.

Answer 1

The both values (tenant_id and client_id) are not considered a secret. They are public. Once you publish your application publicly (and not just on intranet), everyone will be able to get both these values - they are both used in the OIDC redirect to authorization endpoint.

However I might consider hiding them anyway in the web.config / settings.json file - a general best practice for managing application settings. A nice opportunity to try Azure Application Configuration service ;)