Differentiate the scripts that obtain an access token using the Client Credentials Grant type
In Microsoft EntraID I have a Application registration that has two client secrets.
I want to obtain a access token from this App Registration using the client credentials grant type using two separate python scripts (script1 and script2)
The problem is that there is no way to differentiate if the JWT token was obtained from script1 or script2. For each script I used a different client secret.
To get the the JWT access token I used this curl and I specified that I want to use client credentials grant type and I tried using it with different client_secrets. But the JWT was the same and there is no way to differentiate them.
curl --location 'https://login.microsoftonline.com/5fdbbf9b-ae6b-4986-8349-46baf9cffc1a/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=AsBGgX8tBlFBpcISkM-uVZHIlH0WAQAAANI0F94OAAAA' \
--data-urlencode 'client_id=4c670161-3e27-441f-b694-6538e755d94e' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret=xxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'scope=api://4c670161-3e27-441f-b694-6538e755d94e/.default'
Question 1: Is there a way to differentiate clients that use client credentials grant type when they use different secrets?
Question 2: Am I wrongly using this grant type? This is the grant type recommended for a machine to machine situation.
I agree with @wenbo, you cannot differentiate between clients that use client credentials grant type based on secrets.
- Client credentials grant type itself does not differentiate tokens based on client secrets.
- The client credentials grant type is used to acquire an access token that represents the application itself, rather than a specific user or client.
- The access token obtained using the client credentials grant type is identical that uses the same application ID and secret.
Generated access token:
curl --location 'https://login.microsoftonline.com/TenantID/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=xxx' \
--data-urlencode 'client_id=ClientID' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret=xxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'scope=api://xxx/.default'
Hence you can differentiate the access token only based on iss, appid, roles, aud, tid claims.
- You can make use of client credentials grant type for scenarios involving machine-to-machine authentication, where the application accesses its own resources.
- Why do I get a "resource not found" error when switching resource groups for Azure OpenAI?
- Error: The resource you are looking for has been removed, had its name changed, or is temporarily unavailable
- ADO: Use an agent pool across multiple projects
- Azure Static WebApp - Is it possible to change the repository after creating the web app?
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- Azure: Join Windows VM to domain without use of user account
- Azure Search Index: Tokenize words in reverse order
- How to create Azure ML Registry using Terraform?
- How to allow IP Based access to StorageAccount in Azure VNet?
- AMBIGUOUS_REFERENCE error when trying to aggregate a dataframe in azure
- Update the ImageReference property of multiple Azure Virtual Desktop (AVD) VM Hosts
- Graph API: How do I get sensitivityLabel list using graph api
- The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used
- Extracting data from blob storage to Databricks[automation]
- Azure EventHub: checkpoint best practices in C# EventProcessorClient
- Renew JSON authentication key of Service Principal
- Using Azure, I have no authorization to enter Microsoft Entra ID (AAD) when using Student Account
- how to use RBAC on azure?
- Can't login to azure portal
- In Azure AD, how to exclude a subset of users from requiring authentication info when first signing in
- Scripts for Dead Letter Queue Notification
- Why do I see 403 forbidden in Azure application gateway?
- Azure App registration does not appear in Enterprise applications
- Rename SharePoint site with Graph API or REST
- AuthorizationFailed - Creating Role Assignments in Azure
- Can't upload file to azure front door origin group based on latency?
- How do I serve a React.js Vite app hosted on an Azure container instance over a custom route, where routing is managed by Caddy?
- pGet pfx from crt and txt containing private key
- Is there a way to get the live logs of a running pipeline using Azure REST API?
- AADSTS7000222: The provided client secret keys are expired