Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the client secret from AAD V2 authenticator #9340

Merged
merged 3 commits into from
Jan 9, 2023
Merged

Conversation

joelverhagen
Copy link
Member

We were only ever using the id_token which contains enough detail for NuGet.org sign in. The code response is not used. Progress on https://github.com/NuGet/Engineering/issues/4099

The benefit here is that we have less secrets to rotate 😄.

I've confirmed the general approach with the team that owns the AAD SDK.

We were only ever using the id_token which contains enough detail for NuGet.org sign in. The code response is not used.
Progress on NuGet/Engineering#4099
@joelverhagen joelverhagen requested a review from a team as a code owner January 5, 2023 00:59
Copy link

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@joelverhagen joelverhagen merged commit d18bf1c into dev Jan 9, 2023
@joelverhagen joelverhagen deleted the jver-no-secrets branch January 9, 2023 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants