More than one ClientSecret or even ClientID per website - best practice?

%3CLINGO-SUB%20id%3D%22lingo-sub-2238199%22%20slang%3D%22en-US%22%3EMore%20than%20one%20ClientSecret%20or%20even%20ClientID%20per%20website%20-%20best%20practice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2238199%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20a%20website%20uses%20OAuth2%20to%20authenticate%20on%20several%20pages%20(Contact%20page%2C%20PayPal%20IPN%20call-back%2C%20purchase%20notification%20to%20buyer%20and%20so%20on)%2C%20is%20it%20regarded%20as%20best%20practice%20to%20use%20different%20ClientSecrets%20on%20each%20such%20page%20or%20even%20(if%20more%20granular%20permissions%20were%20needed)%20different%20app%20(Client)%20IDs%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2238199%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

If a website uses OAuth2 to authenticate on several pages (Contact page, PayPal IPN call-back, purchase notification to buyer and so on), is it regarded as best practice to use different ClientSecrets on each such page or even (if more granular permissions were needed) different app (Client) IDs as well?

1 Reply
Not sure if that's an actual "best practice", however, please consider it might also make it more difficult to track any audit logs for such apps. Generally, I've just used a single Azure AD app to do it all. You might consider using different apps in case of different teams doing some kind of work and the permissions they need are different as well.