Can I use appSecret in production?

[tristancamejo]

Just curious if it can be used in the frontend, or it needs to be hidden from the end-user.

[dommilosz]

I'm not sure. In minecraft authentication scheme I think there is no reason to not use it: minecraft auth scheme. But I'm not sure of other hidden api endpoints / microsoft azure application access.

In azure page: App secret is "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." So I see that only problem might be impersonating the app in some way.

App Secret is used in: Authorization Code -> Authorization Token and Refreshing Tokens. Is seems that if the secret was public no one is able to authenticate anyway because of lack of the code or refresh token.

I think the risk for users of your application is minimal. It might be higher for your azure app.

However I'm not recommending putting it in your code as public. It's copyable only once from microsoft. If I would put something like that in public place I would do more research.

I recommend making your own server that authenticates and refreshes the tokens and sends it back to your application. So it gets the body without the app secret and makes request to microsoft after adding the secret.

I let the decision to you :)

[tristancamejo]

Thanks for the API docs link, I'll just make an endpoint on my API to process auth codes to tokens .