How to use Azure AD auth with certificates instead of client secrets?

[sander1095]

nextauth.js documentation about Azure AD mentions using ClientSecrets for authentication. However, Microsoft recommends using a certificate instead. I want to start a discussion about getting this implemented in nextauth.js.

Why it's important

Microsoft's official documentation

Microsoft's recommendation for certificate authentication is mentioned directly on the "Certificates & Secrets" page in an application's page in Azure AD:

Credentials enable confidential applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). For a higher level of assurance, we recommend using a certificate (instead of a client secret) as a credential.

Also, if you go to the Integration Assistant, it will show the following where it also recommends you to use certificates:

This "action" links to the following documentation page in case this is helpful.

Community Posts

The community also provides information about why certificates are more secure than client secrets:

• https://security.stackexchange.com/a/262633/215629
• https://duckduckgo.com/?t=ffab&q=azure+ad+client+secret+vs+certificate&ia=web

Implementing it

I looked through nextauth.js' codebase, but all I can find is support for client secrets.

Azure Key Vault integration

I know this is probably not going to happen, but Microsoft provides a very nice DX for implementing certificate auth with the Azure Key Vault. Perhaps this can be done in a separate package?

Other ways of implementing it

I'm sadly not familair with nextauth.js, so I can't say anything about a good way to implement this. However, I do hope my post makes clear the importance of implementing this, especially for companies that care about good security.

Documenting it

After implementing this, it'd be good to document this feature. I would suggest that nextauth.js would also recommend users to choose certificate authentication instead of client secrets.

[digroovio-lumen]

I would also like to do certificate authentication with the Microsoft Entra provider. Is this something that is slated for a future release?