Public Client Flows: What You Need to Know

Public Client Flows. It’s an odd feature that exists in Microsoft Entra ID’s App registration portal. Its purpose is to ensure that certain applications are secure and immutable, obviously within reason.

Before we dive into what you need to know, let’s first take a step back and make sure you understand the big picture, and how this intersects with your world. And by your world, I mean the Identity and Access Management administrator inside of an organization - the person that looks after identity in Azure.

Yes, I’m talking about you. Now you might be saying to yourself, “Well AL, I do Identity, not application security. So, this is definitely not my responsibility.” Oh, contraire - this is now most definitely your responsibility, and let me explain why.

Before the Cloud

Back in the days of virtual machines, you had different teams that were responsible for different aspects of IT:

• Infrastructure - This team ensured that you had the necessary compute (Tin) for applications.
• Operating System - This team deployed and managed the OS.
• Applications - The application support team would usually deploy and maintain the applications.
• Database - Same as above, but for databases.
• Security - Firewall and VPN, perimeter-based security to prevent infiltration into the datacenter.

And all was right with the world. Roles and responsibilities were clearly delineated, and each team had distinct functions. Application developers would build applications to run on a web server and would either use LDAP or some custom RBAC (Role Based Access Control) solution to handle authentication and authorization around applications, running on web servers, inside of virtual machines, on infrastructure, behind a firewall. The world was happy, IT people were happy, everyone was happy.

Until the cloud. Until Microservices. Until Containers. Until Application Services.
Suddenly, applications had to be deployed differently, with different permission models and authentication types. It was no longer the responsibility of the dev team to ensure that all of this functioned properly. Application authentication and deployment became sort of a “no-man’s land,” not falling under the purview of any one team to specifically manage. Terms like DevSecOps popped up; SRE (Site Reliability Engineering) became all the rage; while the traditional IT teams scuttled around, trying to figure out who was responsible for the identity management and security for applications now running as microservices, inside of containers, connected to app service plans, with headless everything.

Which brings us to where we currently are today. It is now the responsibility of Identity management admins to concern themselves with applications registered and deployed into their cloud environment, which in this case is the Azure Cloud.

At this point you might be asking yourself, “But AL, surely this is the security and developers’ problem?”

Sorry my Identity friends, but you are going to have to take a hard look at application governance in your environment because applications sit inside of…you guessed it, Microsoft Entra.

Figure 1: Microsoft Entra ID Portal

And with no further ado, let’s start from the top.

What is a Public Client Flow?

In simple terms, a Public Client Flow is a feature used in conjunction with a public client application. Public applications are essentially applications that run on devices or desktop machines, or even a single page web application. When you create an application registration, manually or automatically, you have various options, based on the type of application you are deploying:

Figure 2. Entra ID Application Registration Portal

Once that is completed, you can then manage the authentication of the application that you want to deploy:

Figure 3. Application Registration Authentication options

Because public applications are perceived as being less secure (you can’t store a client secret) you will need to secure the application in different ways. Did you notice the various options listed in the screenshot above? Those are some of the most common methods used to secure a public application, and it’s done by enabling a public client flow. This is starting to make sense now, right? And because of this, public client flows rely on these mechanisms to ensure that the identity and trustworthiness of the client accessing the application is authenticated correctly.

The most common options are:

• PKCE (Proof Key of Code Exchange) is a security mechanism that protects OAuth 2.0 authorization codes from being intercepted or stolen by malicious actors. PKCE enhances the security of the authorization code flow by requiring the client to generate a random value, called a code verifier, and hash it to produce a code challenge, which is sent along with the authorization request.
• Redirect URI (funny how that is optional when creating an app registration) is a web address that the user's browser is sent to after they have authenticated with an identity provider. The redirect URI typically contains an authorization code or an access token that the client application can use to obtain the user's identity and access their resources. The redirect URI must be registered with the identity provider and must match exactly the one that the client application sends in the authentication request.
• Device Code (Think mobile app) is a term that refers to a unique identifier that is assigned to a specific device by the manufacturer or the operating system. Device codes can be used for various purposes, such as authentication, encryption, device management, or troubleshooting. Device codes are usually stored in the device's memory or firmware and can be accessed by authorized applications or users.

And that pretty much covers what a Public Client Application is and what you should do to ensure that it is secure, which in this case you would want to invoke the public client flow and secure the application in one of the authentication scenarios listed above.

However, there is another type of client application known as a Confidential Client Application. These applications typically run as Web Apps, or even service/daemon applications. They could also be seen as a Web API. And because of this, they are considered more secure because they are difficult to access from a user perspective and capable of keeping an application secret. Additionally, Confidential clients can hold configuration time secrets so client instantiations will have a unique configuration, making it more secure. Ergo - the secret is never directly exposed to the client.

Are you an Identity administrator responsible for Entra ID? Don't miss ENow's webinar on 1/31/24 @ 10 am PST - Microsoft MVPs Nicolas Blank & Alistair Pugin show how to "Identify & Fix Application Security Vulnerabilities in Microsoft Entra ID" - REGISTER HERE!

Why should you care about Public Applications and public client flows?

Much like the infrastructure world has moved on to being serverless with microservices and containers, so have the attack vectors of nefarious characters. It’s no longer just about phishing attacks where the threat actor would spoof a login page. They’ve gotten smarter. And since platforms like Microsoft Entra ID use OAuth as one of their authentication standards, hackers are targeting much more sophisticated solutions by exploiting their vulnerabilities. Take for example how hackers were able to infiltrate the Linus Tech Tips channel. This was a token exploit, and they did not need to grab the login details of the account.

Without going into too much detail (That’s for another blog, another day) attackers can exploit device codes. Once the attacker has a device code, it can use this code to access the application and access resources that the application itself has access to. Here’s a perfect example of how an attacker can get into your Office 365 environment by exploiting OAuth authorization flows.

What you should be doing to ensure better security?

Threat actors use a variety of other methods, so what actions should you undertake for your organization to ensure that your Public Applications using public client flows have their risks correctly mitigated?

Again, I’m sure you are probably asking yourself, “But AL, why is it my responsibility to tell the developers how to correct build and auth their application?” And while it may not be your personal responsibility, you should have the proper knowledge around these types of things as an Identity admin charged with managing the identity and access management platform that is Microsoft Entra ID. You’ll want to make sure you read Microsoft’s best practices for application properties in order to ensure you understand and implement the following:

• Redirect URI
• Access tokens (used for implicit flows)
• Certificates and secrets (within reason, since we are talking about Public Applications)
• Application ID URI
• Application ownership

Microsoft has also provided an Integration assistant as part of the App registration portal where you can find recommendations based on your application type, which I find to be extremely useful:

Figure 4. Application Registration Integration assistant

The recommendations change based on the type of application and integration you select. Let’s recap:

1. You now know that Public Applications are considered as less secure, compared to Confidential Applications.
2. You have a remediation path to securing applications that use public client flows.
3. You have access to Microsoft’s best practices around securing applications deployed to and used in your cloud environment.

The final part of this journey involves finding those pesky applications so you can remediate them through various security principles.

Checking applications in your Tenant/Subscription

Microsoft has provided various mechanisms for checking applications running in Entra. Here are a few ways to query them:

Microsoft Graph
With Microsoft recommending that admins start using Microsoft Graph instead of PowerShell for more advanced queries, so I’m going to lead with that option. Microsoft Graph provides advanced query capabilities so that you can extract the following information pertaining to Application properties using the following filters:

• publicClient/redirectUris/any
• spa/redirectUris/any(p:p)
• web/redirectUris/any(p:p)

Microsoft Security Products
Another option would be to consult with your security team and have them take a look at application vulnerabilities and deploy playbooks to query your application stack. This can be done through the following:

• Microsoft Sentinel
• Microsoft Defender for Cloud
• Microsoft Defender XDR
• Microsoft Defender for Cloud Apps

Microsoft Entra ID
You can also check the authentication protocols at User sign-ins:

Figure 5. Entra ID Sign-in logs

Alternatively, you can troll through each application and check how it is configured and then run the Integration assistance as shown above for recommendations.

ENow AppGov Score
In 2023, ENow introduced a free utility, ENow AppGov Score, to identify exactly how many apps in your tenant have Public Client Flows so you can see the scope of your problem. With this knowledge, you can use the above steps to quickly remove or remediate apps that are not securely configured. Alongside your AppGov Score, which is based on Microsoft's recommended security practices and input from MVPs, you'll also receive a comprehensive Application Governance report, including over 24 checks (like Public Client Flows) that analyze your organization's Entra ID enterprise applications, app registrations, and tenant settings.

Closing thoughts

Applications running in your environment act, react, and function differently than those traditional applications using only LDAP to authenticate and authorize users into them. Identity and Access Administrators will be saddled with ensuring that the applications registered in their tenant are managed, maintained, and secured accordingly. Therefore, it’s important to understand the fundamentals of public client flows and how they intersect with your world, even if it’s not your direct responsibility.

Do you know what apps are lurking in your tenant? The ENow AppGov Score is a free security assessment tool that will quantify your application governance state quickly.  In addition to providing your AppGov Score, the tool will provide a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!