Merge pull request #51 from ryanspletzer/feature/entra-id-client-id-s…

…ecret-retrieval

Add client_id client_secret post

Gemfile.lock

@@ -1,27 +1,38 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    bigdecimal (3.1.9)
     colorator (1.1.0)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.3.4)
     em-websocket (0.5.3)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0)
     eventmachine (1.2.7)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
-    ffi (1.15.5)
+    faraday (2.12.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
+    ffi (1.17.1-arm64-darwin)
+    ffi (1.17.1-x86_64-darwin)
+    ffi (1.17.1-x86_64-linux-gnu)
     forwardable-extended (2.6.0)
-    google-protobuf (3.22.3-arm64-darwin)
-    google-protobuf (3.22.3-x86_64-darwin)
-    google-protobuf (3.22.3-x86_64-linux)
+    google-protobuf (4.29.3-arm64-darwin)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.29.3-x86_64-darwin)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.29.3-x86_64-linux)
+      bigdecimal
+      rake (>= 13)
     http_parser.rb (0.8.0)
-    i18n (1.13.0)
+    i18n (1.14.6)
       concurrent-ruby (~> 1.0)
-    jekyll (4.3.2)
+    jekyll (4.3.4)
       addressable (~> 2.4)
       colorator (~> 1.0)
       em-websocket (~> 0.5)
@@ -43,45 +54,51 @@ GEM
       sass-embedded (~> 1.54)
     jekyll-watch (2.2.1)
       listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    json (2.9.1)
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
     liquid (4.0.4)
-    listen (3.8.0)
+    listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    logger (1.6.4)
     mercenary (0.4.0)
+    net-http (0.6.0)
+      uri
     octokit (4.25.1)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
-    public_suffix (5.0.1)
+    public_suffix (6.0.1)
+    rake (13.2.1)
     rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rexml (3.2.5)
-    rouge (4.1.0)
-    ruby2_keywords (0.0.5)
+    rexml (3.4.0)
+    rouge (4.5.1)
     safe_yaml (1.0.5)
-    sass-embedded (1.62.1-arm64-darwin)
-      google-protobuf (~> 3.21)
-    sass-embedded (1.62.1-x86_64-darwin)
-      google-protobuf (~> 3.21)
-    sass-embedded (1.62.1-x86_64-linux-gnu)
-      google-protobuf (~> 3.21)
+    sass-embedded (1.83.1-arm64-darwin)
+      google-protobuf (~> 4.29)
+    sass-embedded (1.83.1-x86_64-darwin)
+      google-protobuf (~> 4.29)
+    sass-embedded (1.83.1-x86_64-linux-gnu)
+      google-protobuf (~> 4.29)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.4.2)
-    webrick (1.8.1)
+    unicode-display_width (2.6.0)
+    uri (1.0.2)
+    webrick (1.9.1)
 
 PLATFORMS
   arm64-darwin-22
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-22
   x86_64-linux
 
@@ -95,4 +112,4 @@ DEPENDENCIES
   webrick
 
 BUNDLED WITH
-   2.3.26
+   2.6.2

_posts/2025-01-09-how-to-get-your-client-id-and-client-secret-from-entra-id.md

@@ -0,0 +1,71 @@
+---
+layout: post
+title: How to Get Your client_id and client_secret from Entra ID
+date: 2025-01-09 00:00:00
+description: >
+  Since I am not a scalable replacement for ChatGPT or Google, and because I felt this would be helpful beyond my own
+  company, I felt compelled to write this post due to the sheer volume of questions I get on an almost daily basis about
+  how to get a client_id and client_secret for an app registration from Entra ID (formerly known as Azure AD).
+
+tags:
+ - entra-id
+ - app-registration
+ - oauth
+---
+
+Since I am not a scalable replacement for ChatGPT or Google, and because I felt this would be helpful beyond my own
+company, I felt compelled to write this post due to the sheer volume of questions I get on an almost daily basis about
+how to get a client_id and client_secret for an app registration from Entra ID (formerly known as Azure AD).
+
+Microsoft has changed the UI over the years to include things like a "Secret ID" next to secret values, and also has
+other GUID identifiers in the mix in the form of tenant id's and object id's, which can be confusing for people when
+they go to the Azure Portal to retrieve these values for an app registration they are using for a specific use case.
+
+While there are guides out there on Microsoft Learn that describe how to do this, people often do not find those, so I
+find that it is helpful to describe how to do this in my own words.
+
+## Caveats
+
+These steps assume that there is an app registration waiting for you in the Azure Portal that you own.
+
+(Many/most enterprises are likely restrict who can create these, for good security reasons, so one would likely be
+created for you upon request to your admins.)
+
+## Steps
+
+Here are the steps, illustrated with my test tenant:
+
+1. Navigate to the Azure Portal at portal.azure.com and sign in with your company identity.
+2. Search for "App registrations" in the search box at the top and click on the icon with the grid and the
+   three-dimensional looking cube:
+  ![App registrations logo in the top search bar on the Azure Portal](/assets/images/app_registrations_search_bar.png)
+
+3. Go to the "Owned applications" tab:
+  ![The Owned Applications tab in the Azure Portal App registrations view](/assets/images/OwnedApplicationsAzurePortal.png)
+
+4. Filter / select your desired app registration.
+5. On the "Overview" tab, your client_id is in the "Application (client) ID" -- it is _NOT_ the "Object id" or the
+   "Directory (tenant) id". (I'm belaboring this point because this is where a lot of people get tripped up.)
+  ![Showing the client_id on an app registration](/assets/images/client_id.png)
+
+6. On the "Certificates & secrets" tab, you can generate a client_secret by clicking the "New client secret" button:
+  ![Showing the New client secret button on an app registration](/assets/images/new-client-secret.png)
+
+7. Once you've generated the new client_secret, the client_secret _value_ is in the "Value" column -- it is _NOT_ the
+   "Secret ID." Also the "Secret ID" is _NOT_ your client_id. The "Secret ID" is not used at all in authentication
+   flows. (I'm belaboring this point because this is where a lot of people get tripped up.) Also, _importantly_, this
+   client_secret is only shown _once_, so if you navigate away or close this page, you cannot get it back -- be sure to
+   capture it in a safe, company-approved place like a password manager for safe-keeping and later reference. (If you do
+   close or navigate away from this page, when you come back, only the first three letters of the client_secret will be
+   shown -- this is to allow you to correlate which client_secret value goes with which listed client_secret in the
+   portal.) Don't worry, I deleted this client_secret shortly after I generated it, but in general, you should not share
+   these client_secrets with anyone besides the developers that need to use it (and I encourage developers to use their
+   own client_secret for local development purposes versus sharing a client_secret):
+  ![Showing a generated client_secret on an app registration](/assets/images/client_secret.png)
+
+I may revisit this blog post to amend it to make it as clear as I can in the case that the instructions are not enough
+to get someone through this process, or in the event that Microsoft changes the UI for this.
+
+Once you have a client_id and client_secret, you can use those to get short-lived JWT access_tokens, for use in calling
+API's that utilize Entra ID authorization -- calling the Entra ID token endpoint to issue those tokens will be the
+subject of a future blog post, because many people struggle with this, too!