Merge pull request #249210 from cilwerner/cilwerner-patch-1-1

ttorble · web-flow · commit 3abe10f59cdb · 2023-08-28T10:27:52.000+01:00
Removing secret reference lines in code snippets
diff --git a/articles/active-directory/external-identities/customers/how-to-web-app-node-use-certificate.md b/articles/active-directory/external-identities/customers/how-to-web-app-node-use-certificate.md
@@ -19,9 +19,9 @@ ms.custom: developer, devx-track-js
 
 Azure Active Directory (Azure AD) for customers supports two types of authentication for [confidential client applications](../../../active-directory/develop/msal-client-applications.md); password-based authentication (such as client secret) and certificate-based authentication. For a higher level of security, we recommend using a certificate (instead of a client secret) as a credential in your confidential client applications.
 
-In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it.
+In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it. 
 
-In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell.  
+In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell. If you have a client secret already, you'll learn how to safely delete it.
 
 When needed, you can also create a self-signed certificate programmatically by using [.NET](/azure/key-vault/certificates/quick-create-net), [Node.js](/azure/key-vault/certificates/quick-create-node), [Go](/azure/key-vault/certificates/quick-create-go), [Python](/azure/key-vault/certificates/quick-create-python) or [Java](/azure/key-vault/certificates/quick-create-java) client libraries.
 
@@ -88,11 +88,13 @@ After the command finishes execution, you should have a *.crt* and a *.key* file
 
 [!INCLUDE [active-directory-customers-app-integration-add-user-flow](./includes/register-app/add-client-app-certificate.md)]
 
+[!INCLUDE [remove-client-secret](./includes/remove-client-secret.md)]
+
 ## Configure your Node.js app to use certificate
 
 Once you associate your app registration with the certificate, you need to update your app code to start using the certificate:
 
-1. Locate the file that contains your MSAL configuration object, such as `msalConfig`  in *authConfig.js*, then update it to look similar to the following code:
+1. Locate the file that contains your MSAL configuration object, such as `msalConfig`  in *authConfig.js*, then update it to look similar to the following code. If you have a client secret present, make sure you remove it:
 
     ```javascript
     require('dotenv').config();
@@ -124,7 +126,6 @@ Once you associate your app registration with the certificate, you need to updat
             auth: {
                 clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID
                 authority: process.env.AUTHORITY || `https://${TENANT_SUBDOMAIN}.ciamlogin.com/`, 
-                //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal
                 clientCertificate: {
                     thumbprint: "YOUR_CERT_THUMBPRINT", // replace with thumbprint obtained during step 2 above
                     privateKey: privateKey
@@ -174,14 +175,13 @@ Once you associate your app registration with the certificate, you need to updat
 
 You can use your existing certificate directly from Azure Key Vault:
 
-1. Locate the file that contains your MSAL configuration object, such as `msalConfig`  in *authConfig.js*, then comment the `clientSecret` property:
+1. Locate the file that contains your MSAL configuration object, such as `msalConfig`  in *authConfig.js*, then remove the `clientSecret` property:
     
     ```java
     const msalConfig = {
         auth: {
             clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID
             authority: process.env.AUTHORITY || `https://${TENANT_SUBDOMAIN}.ciamlogin.com/`, 
-            //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal
         },
         //...
     };
diff --git a/articles/active-directory/external-identities/customers/includes/remove-client-secret.md b/articles/active-directory/external-identities/customers/includes/remove-client-secret.md
@@ -0,0 +1,13 @@
+---
+author: cilwerner
+ms.service: active-directory
+ms.subservice: ciam
+ms.topic: include
+ms.date: 08/28/2023
+ms.author: cwerner
+---
+
+If you've a client secret already in place for your application, you need to delete it to avoid a malicious application for impersonating your application:
+
+1. Go to the **Client secrets** tab, and select the **Delete** icon.
+2. In the pop-up window that appears, select **Yes**.
