Another important step for registration is adding client_secret, which is necessary to establish trust between Azure AD and TodoListWebApp. This client_secret is generated only once and configured in the web application. To generate this key, navigate to App Registrations | TodoListWebApp | Keys. Then, add the description as AppKey and click on Save. Once the key is saved, the value of the key is autogenerated by Azure and will be displayed next to the description. This key is displayed only once, so you have to immediately copy it and save it for later use. We will be keeping this key in the web.config file of TodoListWebApp in this case.
The key stored will be displayed on the Azure portal as follows:
For production-grade applications, it is a bad idea to keep client_Secret and all such critical key values in web.config. It is good practice to keep them encrypted and isolated from applications. For such purposes, in production-grade applications, you can use Azure key-vault (https://azure.microsoft.com/en-us/services/key-vault/) to keep all your keys protected. Another advantage of a key vault is that you can manage the keys according to the environment, such as dev-test-staging and production.