9Haz
OAuth2 – What is the advantage of using certificate over client secret credentials? (Azure)
When using OAuth2 in Azure, why Certificates are more secure than using Secrets?
The Secrets have expiration and are strong, and generated automatically.
The application needs to send a JWT containing a x5t header with the thumbprint of the Certificate.
The Certificate is stored in Azure.
After OAuth2 is concluded, Azure returns a Token to the application.
If an eavesdropper steals the JWT (with the fingerprint of Certificate) isn't the same stealing the Secret?
