Differentiate the scripts that obtain an access token using the Client Credentials Grant type
In Microsoft EntraID I have a Application registration that has two client secrets.
I want to obtain a access token from this App Registration using the client credentials grant type using two separate python scripts (script1 and script2)
The problem is that there is no way to differentiate if the JWT token was obtained from script1 or script2. For each script I used a different client secret.
To get the the JWT access token I used this curl and I specified that I want to use client credentials grant type and I tried using it with different client_secrets. But the JWT was the same and there is no way to differentiate them.
curl --location 'https://login.microsoftonline.com/5fdbbf9b-ae6b-4986-8349-46baf9cffc1a/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=AsBGgX8tBlFBpcISkM-uVZHIlH0WAQAAANI0F94OAAAA' \
--data-urlencode 'client_id=4c670161-3e27-441f-b694-6538e755d94e' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret=xxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'scope=api://4c670161-3e27-441f-b694-6538e755d94e/.default'
Question 1: Is there a way to differentiate clients that use client credentials grant type when they use different secrets?
Question 2: Am I wrongly using this grant type? This is the grant type recommended for a machine to machine situation.
I agree with @wenbo, you cannot differentiate between clients that use client credentials grant type based on secrets.
- Client credentials grant type itself does not differentiate tokens based on client secrets.
- The client credentials grant type is used to acquire an access token that represents the application itself, rather than a specific user or client.
- The access token obtained using the client credentials grant type is identical that uses the same application ID and secret.
Generated access token:
curl --location 'https://login.microsoftonline.com/TenantID/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=xxx' \
--data-urlencode 'client_id=ClientID' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret=xxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'scope=api://xxx/.default'
Hence you can differentiate the access token only based on iss, appid, roles, aud, tid claims.
- You can make use of client credentials grant type for scenarios involving machine-to-machine authentication, where the application accesses its own resources.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database