Last post Oct 07, 2020 04:37 PM by jal2
Oct 07, 2020 02:08 AM|jal2|LINK
I'm confused about authentication flows.
I added Swashbuckle/Swagger to my Web Api, not realizing that my client secret would be exposed. The Swagger developers seem to regard it as unavoidable, per this link
Why unavoidable? Doesn't MSAL provide authentication without exposing a client secret? If so, why can't Swagger do it? Or why can't Swagger use MSAL?
My api is at, say,
and my swagger at:
How is this usually solved? Is there a tutorial on how to make a separate Swagger UI-app, say at
which could forward any request to the backend Api, using httpClient?
Oct 07, 2020 11:46 AM|mgebhard|LINK
Oct 07, 2020 04:37 PM|jal2|LINK
Thanks, but I'm a bit slow. MSAL.js uses the clientID to identify the app, no need for client secret. Why can't Swagger do the same? What is different about the Swagger scenario that I'm missing here?
Here's my understanding of MSAL.js. It redirects to the Active directory URL-plus-clientID where Active D shows a login page. The user signs in and gets a token if he is in the same Tenant as that clientID (otherwise denied). Active D redirects user
back to my home page URL-plus-token. MSAL.Js extracts the token from the URL.
I just don't understand why Swagger can't do the same thing.