Is it secure to integrate with SharePoint online API through a console application that uses PnP Core SDK which is hosted on local VM

[mvcsharepointdev]

I have the below console application which is hosted on a local windows VM, which integrates with SharePoint Online. the console application authenticates with SharePoint Online using ClientId, TenantID & Certificate, as follow:-

using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using PnP.Core.Auth;
using PnP.Core.Model.SharePoint;
using PnP.Core.Model.Teams;
using PnP.Core.QueryModel;
using PnP.Core.Services;
using PnP.Core.Services.Builder.Configuration;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Globalization;
using System.Runtime.CompilerServices;
using System.Security.Cryptography.X509Certificates;
using static Microsoft.ApplicationInsights.MetricDimensionNames.TelemetryContext;
using static System.Net.Mime.MediaTypeNames;

namespace ConsoleApp4
{
    internal class Program
    {
        static async Task Main(string[] args)
        {
            var tenantId = "b***c";
            var clientId = "7*****9";
            var certificatePath = @"c:\CERT\SPDashBoardIntegration.pfx";
            var certificatePassword = "***";
            // Initialize a new service collection
            var serviceCollection = new ServiceCollection();

            // Load the certificate
            var certificate = new X509Certificate2(certificatePath, certificatePassword, X509KeyStorageFlags.Exportable);

            // Configure logging
            serviceCollection.AddLogging(builder =>
            {
                builder.AddConsole();
            });

            // Add and configure PnP Core SDK
            serviceCollection.AddPnPCore(options =>
            {
                options.PnPContext.GraphFirst = true; // Set true if you prefer to use Graph over CSOM when possible
                                                      // options.HttpRequests.UserAgent = "ISV|Contoso|ProductX";
                options.Sites.Add("SiteToWorkWith", new PnPCoreSiteOptions
                {
                    SiteUrl = "https://********.sharepoint.com/sites/********-******",
                    AuthenticationProvider = new X509CertificateAuthenticationProvider(clientId, tenantId, certificate)
                });
            });
            int i = 0;
            // Build the service provider
            var serviceProvider = serviceCollection.BuildServiceProvider();

            // Use the service provider to get the IPnPContextFactory instance
            var pnpContextFactory = serviceProvider.GetRequiredService<IPnPContextFactory>();

            // Now you can use the IPnPContextFactory to get a PnPContext and perform operations
            var context = await pnpContextFactory.CreateAsync("SiteToWorkWith");
            // Assume the fields where not yet loaded, so loading them with the list
            var workOrderList = context.Web.Lists.GetByTitle("Work Orders", p => p.Title,
                                                                 p => p.Fields.QueryProperties(p => p.InternalName,
                                                                                               p => p.FieldTypeKind,
                                                                                               p => p.TypeAsString,
                                                                                               p => p.Title));
// additional code goes here

Now my question is if this is a secure approach? I mean when the VM sends the ClientID, Client Secret & Certificate to SharePoint Online, will that info be secure over the network? i mean will the console application communicate with SharePoint in a secure way when it sends the credentials (ClientID, Client Secret & Certificate)? If not, then how we can secure this?

Thanks

[jansenbe]

@mvcsharepointdev : yes, the communication is secure. The client cert is used to authenticate to Azure AD and get an access token to be used with SharePoint. The calls to Azure AD and SharePoint are secured using https.

[jansenbe]

No, the cert is used to authenticate to Azure AD, regular https is used to encrypt traffic across the network. This is a model used by so many, I wouldn't be too worried about it. The key is to safeguard your certificate, as that allows the authentication

[mvcsharepointdev]

@jansenbe thanks again for the help. so when the console application sends the clientId, clientsecret & certificate, those will be secured using the https that is implemented inside SharePoint & Graph API ?

[mvcsharepointdev]

@jansenbe can you advice on my last comment please? thanks

[jansenbe]

yes, all communication towards Azure AD and SharePoint/Graph is encrypted due to the use of https