I am using a MSAL WinForms example
WindowsBrokerOptions brokerOptions = new WindowsBrokerOptions(); // (WindowsBrokerOptions.OperatingSystems.Windows);
string Instance = "/";
_clientApp = PublicClientApplicationBuilder.Create(_clientId)
.WithAuthority($"{Instance}{_tenantId}")
.WithDefaultRedirectUri()
.WithWindowsBrokerOptions(brokerOptions)
.Build();
MsalCacheHelper cacheHelper = CreateCacheHelperAsync().GetAwaiter().GetResult();
// Let the cache helper handle MSAL's cache, otherwise the user will be prompted to sign-in every time.
cacheHelper.RegisterCache(_clientApp.UserTokenCache);
AuthenticationResult authResult = null;
//var app = App.PublicClientApp;
GraphResultsTextBox.Text = string.Empty;
AccessTokenSourceLabel.Text = string.Empty;
// if the user signed-in before, remember the account info from the cache
IAccount firstAccount = (await _clientApp.GetAccountsAsync()).FirstOrDefault();
// otherwise, try witht the Windows account
if (firstAccount == null)
{
firstAccount = PublicClientApplication.OperatingSystemAccount;
}
try
{
authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
.ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
// A MsalUiRequiredException happened on AcquireTokenSilent.
// This indicates you need to call AcquireTokenInteractive to acquire a token
System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");
try
{
authResult = await _clientApp.AcquireTokenInteractive(scopes)
.WithAccount(firstAccount)
//.WithParentActivityOrWindow( // optional, used to center the browser on the window
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync();
}
catch (MsalException msalex)
{
GraphResultsTextBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
}
}
catch (Exception ex)
{
GraphResultsTextBox.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";
return;
}
if (authResult != null)
{
GraphResultsTextBox.Text = await GetHttpContentWithToken(graphAPIEndpoint, authResult.AccessToken);
GraphResultsTextBox.Visible = true;
DisplayBasicTokenInfo(authResult);
this.SignOutButton.Visible = true;
}
SignInCallToActionLabel.Hide();
GraphResultsPanel.Show();
When I run it a browser opens and I select the correct account.
I then get the following in the browser
Authentication complete. You can return to the application. Feel free to close this browser tab.
However authResult is null and I get the following
rror Acquiring Token: MSAL.NetCore.4.70.0.0.MsalServiceException: ErrorCode: invalid_client Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
I tried enabling public flow as per numerous Google results - but that did not work.
Interestingly it works on my Azure AD but when I try on a production AD for another tenant it does not - yes the ID's are call correct :)
Any ideas?
Here are my redirect config plus a http://localhost
I am using a MSAL WinForms example
WindowsBrokerOptions brokerOptions = new WindowsBrokerOptions(); // (WindowsBrokerOptions.OperatingSystems.Windows);
string Instance = "https://login.microsoftonline/";
_clientApp = PublicClientApplicationBuilder.Create(_clientId)
.WithAuthority($"{Instance}{_tenantId}")
.WithDefaultRedirectUri()
.WithWindowsBrokerOptions(brokerOptions)
.Build();
MsalCacheHelper cacheHelper = CreateCacheHelperAsync().GetAwaiter().GetResult();
// Let the cache helper handle MSAL's cache, otherwise the user will be prompted to sign-in every time.
cacheHelper.RegisterCache(_clientApp.UserTokenCache);
AuthenticationResult authResult = null;
//var app = App.PublicClientApp;
GraphResultsTextBox.Text = string.Empty;
AccessTokenSourceLabel.Text = string.Empty;
// if the user signed-in before, remember the account info from the cache
IAccount firstAccount = (await _clientApp.GetAccountsAsync()).FirstOrDefault();
// otherwise, try witht the Windows account
if (firstAccount == null)
{
firstAccount = PublicClientApplication.OperatingSystemAccount;
}
try
{
authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
.ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
// A MsalUiRequiredException happened on AcquireTokenSilent.
// This indicates you need to call AcquireTokenInteractive to acquire a token
System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");
try
{
authResult = await _clientApp.AcquireTokenInteractive(scopes)
.WithAccount(firstAccount)
//.WithParentActivityOrWindow( // optional, used to center the browser on the window
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync();
}
catch (MsalException msalex)
{
GraphResultsTextBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
}
}
catch (Exception ex)
{
GraphResultsTextBox.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";
return;
}
if (authResult != null)
{
GraphResultsTextBox.Text = await GetHttpContentWithToken(graphAPIEndpoint, authResult.AccessToken);
GraphResultsTextBox.Visible = true;
DisplayBasicTokenInfo(authResult);
this.SignOutButton.Visible = true;
}
SignInCallToActionLabel.Hide();
GraphResultsPanel.Show();
When I run it a browser opens and I select the correct account.
I then get the following in the browser
Authentication complete. You can return to the application. Feel free to close this browser tab.
However authResult is null and I get the following
rror Acquiring Token: MSAL.NetCore.4.70.0.0.MsalServiceException: ErrorCode: invalid_client Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
I tried enabling public flow as per numerous Google results - but that did not work.
Interestingly it works on my Azure AD but when I try on a production AD for another tenant it does not - yes the ID's are call correct :)
Any ideas?
Here are my redirect config plus a http://localhost
Share Improve this question edited Mar 20 at 8:51 spj_uk asked Mar 19 at 13:27 spj_ukspj_uk 115 bronze badges 10- How did you configure the redirect URL? – Rukmini Commented Mar 20 at 3:52
- You have set Allow public client flows to "Yes" and even the redirect URL looks fine. Are there any policy in the other tenant? – Rukmini Commented Mar 20 at 9:06
- And are you trying to login with MFA enabled user? – Rukmini Commented Mar 20 at 9:07
- Double-check that the clientId and tenantId you're using in the application match the ones in your Azure AD tenant. – Rukmini Commented Mar 20 at 9:32
- Yes using MFA - id's are correct also. It does auth according to browser but does not return tokem. It looks like the same issue as stackoverflow/questions/78729608/… – spj_uk Commented Mar 20 at 10:01
1 Answer
Reset to default 0The error "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'" usually occurs if the Microsoft Entra ID application is not enabled as Public.
Make sure to set Allow public client flows to "Yes":
And also make sure to configure the redirect URL under Mobile and desktop applications platform:
Also make sure that you have no other platforms which is configured with redirect URL like below:
Delete Web redirect URLs:
If it's configured, then delete other platforms and keep only Mobile and desktop applications platform to resolve the issue.