Azure AD Authentication ClientSecret

Hi all,
I’m after a bit of an explanation on how the Azure AD authentication method works (using OpenID Connect). Everything works as I would expect it to, but I’ve noticed that although it’s a required parameter, it doesn’t matter what the -ClientSecret value is, it still works…

I’m using v2.9 still if that makes a difference.

Thanks,
Tom.

Interesting. According to the OAuth spec, client secrets are optional: The Client ID and Secret - OAuth 2.0 Simplified

I find it a bit strange that Azure allows you to specify anything for it and it still works. I’m poking around trying to find any info about why that’s the case.

How strange. How is it using the service principal in authentication if there isn’t a secret provided (or if the secret is actually incorrect)? I’m guessing there’s a link between the user and service principal when the user is invited to use the application.

It must have to do with the tenant association or something. I do find that super weird though. Seems unsecure…