services / Azure / API Management OAuth authorization servers
An API Management OAuth authorization server is the control-plane configuration describing an OAuth 2.0 provider used to authorize APIs and the developer portal (token/authorization endpoints, grant types, scopes, client ID, and a stored client secret).
This configuration governs API authentication for a single function; its stored client secret is a credential, but it is only returned by the dedicated listSecrets action, not by the standard read.
Microsoft.ApiManagement/service/authorizationServers/listSecrets/action
Returns the authorization server's secrets (client secret and resource-owner credentials), exporting reusable credential material an attacker can redeem to mint OAuth tokens and pivot into the OAuth-protected backends and identities.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security