gsacavdm
commented
6 years ago The client secret is used redeem an access code for an access token, it has nothing to do with verifying the token. Tokens are verified by checking:
- The signature against the keys listed in the identity provider's metadata - for example this metadata URL links to jwks_uri
- Checking the audience to make sure the token was issued to your specific application
- Checking the authority to ensure the token by the party that you trust.
Implementing this yourself is not trivial, it's error prone and a lot is as stack if you make a mistake, which is why we recommend you use libraries (such as the .Net Owin middleware) that do this for you.
jmprieur
I can't wrap my head around how this would work. The way I see this at the moment, you can simply decode the access token and use it again. That's because there isn't a secret key used in the server side. Unless the secret key defined for the app in Azure AD B2C tenant is used implicitly.
Ok so three things I've noticed with client secret.
The access token when decoded in https://jwt.io/ keeps saying invalid signature.
When requesting the access token, I think you can send client by adding an extra parameter like below. But that is simply plain text. Even it is coming from a mobile app, that can easily be seen.
&client_secret=<client secret>Can someone me understand this?