Hi - I am clearly missing something in the authorisation grant flow and would appreciate some insight.
1. Configured a tenant on WAAD.
2. Added as Web Application to that tenant.
3. Written a web application that successfully redirects a user to WAAD, returns an oauth code and then POSTS to https://login.windows.net/common/oauth2/token and gets an access token, refresh token etc.
In short, all works well. However, ALL the examples I have seen of this (and in fact the MSDN documents) [1] state that the client_secret is a required field. However, I don't ever pass a client secret at any point but i do still get the access token, refresh token and so on back.
I am clearly missing something in my understanding and would very much appreciate someone clearing it up for me :-) It may be configuration on WAAD has taken care of this somehow, but not really sure.
many thanks in advance,
/steven
[1] http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx