What is the use of Client Secrets in Azure App Registrations?

Question

I implemented Microsoft login by referring to this Documentation. I am able to successfully get the Access token and call the Microsoft Graph API.

But when I created the App registration in the Azure portal. I came across the "Certificates and Secrets" Tab. So I created a sample secret for my demo application as mentioned in the below screenshot. But I am not able to find the exact use Case of this Secret variable. Is it used to authorize our Backend Node-JS server (Apis) or anything like that?.

It will be very helpful if anyone provided a sample use case with an example or any documentation reference. As I am completely new to Azure AD.

Thanks in Advance

Answer 1

The client secret is the password of the service principal. Using a certificate would be an alternative way to authenticate the SP.

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#authentication-two-options

Answer 2

As per MS Document,

The application needs a client secret to prove its identity when requesting a token.

This will help the application to be more secure.

Please refer Auth Code flow as an example reference. Here in first we need to request for a code in a get request and after receiving the code from the identity server then we request for an access token in a post request by adding client secret and code in the request. This allows the third person to can't figure out what the secret and code is, hence he can't bypass the security.