PublicClientApplication + Web Platform configuration without CLIENT_SECRET. Possible?

[vkurup]

Hi,

We've built a django web app and would like to integrate SSO with our customer's Azure AD instance. They have created an app registration with a "web" platform configuration, but would prefer not to give us a CLIENT_SECRET. They have recommended that we use PublicClientApplication(). All of the examples that I've found for Python using a web flow seem to use the ConfidentialClientApplication().

Before I dive too deep, I was wondering if it is possible to do SSO for a Python web app without having them share a CLIENT_SECRET with us?

Thank you!

[idg-sam]

Hi @vkurup ,
Your web app should be using a confidential client app. The only place that a public client app can be used is in cases where secrets cannot be guarded (e.g., single-page app [javascript] or a desktop/console app).

Can you tell me a bit more about your use-case, and maybe also more detail about why your client does not want to use a CCA?

[rayluo]

They have created an app registration with a "web" platform configuration

It sounds like that client is already using a CCA (ConfidentialClientApplication), but they just somehow do not want to share its secret with @vkurup who is probably their ISV (Independent software vendor).

Generally, if an app is configured as a "web platform", that configuration can not be used as a PublicClientApplication. But even if it could, it is still not clear what kind of setup and SSO effect @vkurup is aiming at. Agree with Sam, that we'd like to know more detail about this setup.

On the other hand, a more common approach would be ISV develops a multi-tenant app (but still a confidential app which the ISV manages its credential), and the client consents to such app.

[vkurup]

Thank you Sam and Ray!

Yes, I am an ISV for the client. I'd like to use SSO only for authentication. Every user in the client's AD will be mapped to an unprivileged user in my app. It will be up to administrators in my app to manually assign them more privileges, if desired. So, I plan to have a 'Login with SSO' button on my site, which would take the user to login via Azure, and then return my app with a token, hopefully containing the user's email address, so that I can create a Django user for them. But I do not need any authorization info from AD.

So far the client has provided me with a tenant ID and a client ID. I think I may be their first ISV to use Python, so previous integrations were probably done using javascript single-page-apps, which might explain why they suggested this approach? Any guidance for how we should do this would be appreciated.

[idg-sam]

Hi @vkurup ,

I agree with @rayluo.

Since you are an ISV, usually this means that the Django app is yours, and you are providing access to the client (i.e., SaaS). This scenario typically requires you to create a multitenant app on your own Azure AD tenant, and allow users from their tenant to log in to your multitenant AAD application. If their tenant admin also consents to letting their users log in to your AAD app, you'll be able to get details about their tenant's logged-in user from the ID token.

See the README.md from this sample for guidance. The sample code is for .NET but the concepts covered in the readme will apply to your app as well.

Conversely, if you were building this Django app specifically for them (i.e., the client will own/manage this app), then the usual solution would be to create a single-tenant confidential client web app on the client's own tenant.

[vkurup]

Thank you, this is very useful. I'll take this back to the client and we'll plan a solution.