0

I have an azure AD tenant and several App registrations. Using postman I use one app registrations client id and secret to access other applications like so:

POST /__TENANTID__/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: __POSTMAN__GENERATES__THIS__

grant_type=client_credentials&client_id=__POSTMAN_APPID__&resource=__REQUESTING_APPID__&client_secret=__SECRET__

I am granted a token whether or not __POSTMAN_APPID__ includes __REQUESTING_APPID__ or not. How do I limit which apps a service can generate a token for with a client id and client secret?

All my apps have Implicit flow set to true, if that has anything to do with it. I'm totally confused on exactly what that does but this answer doens't indicate its related to my problem.

Justin Dearing
  • 14,270
  • 22
  • 88
  • 161

1 Answers1

1

One option what you can do is add Application Permissions to your API.

I made an article on adding roles and scopes: https://joonasw.net/view/defining-permissions-and-roles-in-aad.

Then you can assign the application permissions to apps which you want to allow access. It will require an admin to grant them.

Now other apps might still be able to get an access token, but it won't contain the necessary roles, and would then fail authorization.

juunas
  • 54,244
  • 13
  • 113
  • 149