microsoft-authentication-library-for-dotnet: [Enhancement][L] ConfidentialClient does not support ECDsa client application certificates.
Which Version of MSAL are you using ? 4.30
Platform APSNETCORE 5.0
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Daemon App
- Service to Service calls
Other? - please describe;
Is this a new or existing app? existing Repro
- Register an AzureAD confidential client application with a certificate using ECDsa
- Create an instance on the ConfidentialClient
- Try and acquire an OBO token
var onBehalfOfClientApplication = await this.oauthTokenProvider.BindAsync(accountId, this.TenantId).ConfigureAwait(false);
var oboResult = await onBehalfOfClientApplication
.AcquireTokenOnBehalfOf(oauthScopes, userAssertion)
.ExecuteAsync().ConfigureAwait(false);
Expected behavior A token.
Actual behavior
System.NotSupportedException: The certificate key algorithm is not supported.
at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
at Microsoft.Identity.Client.Platforms.netcore.NetCoreCryptographyManager.SignWithCertificate(String message, X509Certificate2 certificate)
at Microsoft.Identity.Client.Internal.ClientCredentialWrapper.Sign(ICryptographyManager cryptographyManager, String message)
at Microsoft.Identity.Client.Internal.JsonWebToken.Sign(ClientCredentialWrapper credential, Boolean sendCertificate)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialHelper.CreateClientCredentialBodyParameters(ICoreLogger logger, ICryptographyManager cryptographyManager, ClientCredentialWrapper clientCredential, String clientId, AuthorityEndpoints endpoints, Boolean sendX5C)
at Microsoft.Identity.Client.OAuth2.TokenClient.AddBodyParamsAndHeaders(IDictionary`2 additionalBodyParameters, String scopes)
at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(String tokenEndpoint, IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenOnBehalfOfParameters onBehalfOfParameters, CancellationToken cancellationToken)
at Chorus.Services.Application.ChorusServerApplication.AssignTenantOwnerAsync(TenantOptions tenantOptions, AuthenticationResult authenticationResult, TrackedTelemetry trackedTelemetry, CancellationToken cancellationToken) in C:\Ossiaco\chorus\src\Chorus.Services\src\Application\ChorusServerApplication.cs:line 94
at Chorus.Services.Configure.Azure.ChorusResourceManager.<>c__DisplayClass12_1.<<ConfigureChorusApplicationAsync>b__2>d.MoveNext() in C:\Ossiaco\chorus\src\Chorus.Services.Configure\src\Azure\ChorusResourceManager.cs:line 374
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (7 by maintainers)
I haven’t actually had the time to look into using Signed Assertions. For the moment I reverted the application certificate back to self-signed RSA. If this gets implemented in the upcoming weeks, then I will go back to using my PKI ECDsa certificates.