I'm using the default template for Blazor Webassembly Hosted with ASP.NET Core (.NET 6), with Microsoft Identity enabled.
I was however, unable to figure out how it was able to authenticate with Microsoft AAD and what source files need to be removed from version control to prevent others from getting access to Microsoft authentication against my app registration.
I couldn't find anything in the Client project. In the Server project, I only found this configuration which the builder was binding but there was no Secret or Certificates (details and IDs changed for privacy)
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "contoso.com",
"TenantId": "4e590f17-467e-4085-adc1-1c4992f82f3a",
"ClientId": "e67489f6-44d1-4658-86b6-20eb1c71b154",
"CallbackPath": "/signin-oidc",
"Scopes": "access_as_user",
"ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
"ClientCertificates": []
},
Would it be sufficient to just remove this file from version control? I would like to share the source code publicly.
How does the app registration work? Are the TenantId and ClientIds enough for letting an app use Microsoft Authentication?
I've broken the three main questions you have down and provided some resources for further info.
Q: Would it be sufficient to just remove this file from version control?
A: You are correct in saying that removing the configuration will indeed prevent others from being able to access your AAD via the app registration.
There is some useful documentation over on the Microsoft ASP.Net Core site that may be of some help with regards to authentication using AAD if you're looking for further information, the link is: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-7.0
Q: How does the app registration work?
A: The Server project connects with AAD utilising the Tenant and Client ID's as well as a client secret or certificate to authenticate. The app registration acts works by providing a client secret and id to utilise within your project to manage permissions and access to your Azure resources through RBAC.
To quote the Microsoft documentation regarding App Registrations, "Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around." Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Q: Are the TenantId and ClientIds enough for letting an app use Microsoft Authentication?
A: You will also need to include the client secret or certificate in your config to ensure that your project successfully authenticates with AAD.
You will need to add a client secret to your App Registration as it is not created by default upon making an app registration. Here is the Microsoft documentation on creating a new client secret: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret
Hope these are of some help and good luck with your project!