microsoft-authentication-library-for-dotnet: .WithCertificate with /common audience scenario is broken
Which Version of MSAL are you using ?
<PackageReference Include="Microsoft.Identity.Client" Version="2.7.0" />
Platform netcore 2.2
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Code based on this sample https://github.com/microsoftgraph/aspnetcore-connect-sample
Is this a new or existing app? It’s a new app, I took created a new empty dotnet core web application and took the code from the above sample as an inspiration.
Repro
// Azure options method
// ClientCredentials with Key when filled and with certificate when not filled (both created in te portal correctly!!)
public ClientCredential GetClientCredential() {
if(!string.IsNullOrEmpty(ClientSecret)) return new ClientCredential(ClientSecret);
if(!string.IsNullOrEmpty(CertificateThumbprint)) {
X509Certificate2 cert = GetCertificate();
if(cert != null)
return new ClientCredential(new ClientAssertionCertificate(cert));
}
throw new ArgumentException("No client secret or certificate configured");
}
// Actual code.
var cca = new ConfidentialClientApplication(
_azureOptions.ClientId,
_azureOptions.GetAuthority(),
redirecUrl,
_azureOptions.GetClientCredential(),
new Helpers.SessionTokenCache(identifier, memoryCache).GetCacheInstance(),
null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
Expected behavior Get an accesstoken
Actual behavior Exception thrown (when certificate set)
"AADSTS700023: Client assertion audience claim does not match Realm issuer.
Trace ID: 36e0fa3f-437e-45b5-825e-472930cc7100
Correlation ID: fa45528a-9bde-4eaa-9fd1-ab7c44d15348
Timestamp: 2019-02-18 22:35:46Z"
Access Token when the secret is set. (To check the client is created correctly and it doesn’t have anything to do with redirect uri, invalid client…)
Possible Solution
It seems like the ClientAssertionCertificate doesn’t accept an ClientID anymore. And according to this page the client ID should be in the assertion.
In the past it did accept a ClientID as shown in the “test code” from earlier.
So I would expect the ClientAssertionCertificate to have an new ClientAssertionCertificate(string clientId, X509Certificate2 certificate) constructor.
Additional context/ Logs / Screenshots The following code isn’t working anymore, and I cannot find when it would be removed. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/28473ce9460cfbeb191df346db565926d044f2e7/tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs#L145
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 27 (20 by maintainers)
Commits related to this issue
- Fix bug #891 - AAD token endpoint as issuer for WithCertificate — committed to AzureAD/microsoft-authentication-library-for-dotnet by bgavrilMS 5 years ago
- Fix bug #891 - AAD token endpoint as issuer for WithCertificate — committed to AzureAD/microsoft-authentication-library-for-dotnet by bgavrilMS 5 years ago
- Fix bug #891 - AAD token endpoint as issuer for WithCertificate — committed to AzureAD/microsoft-authentication-library-for-dotnet by bgavrilMS 5 years ago
- Fix bug #891 - AAD token endpoint as issuer for WithCertificate — committed to AzureAD/microsoft-authentication-library-for-dotnet by bgavrilMS 5 years ago
- Fix bug #891 - AAD token endpoint as issuer for WithCertificate — committed to AzureAD/microsoft-authentication-library-for-dotnet by bgavrilMS 5 years ago
MSAL 4.3.1 released
Thanks @jennyf19 and guys!
I really liked the detailed explanation! Great fix.
thanks @jennyf19 yes, with a certificate we really compute a client assertion including the issuer and audience Thanks for fixing this, @jennyf19
@jmprieur FYI: You can also just specify the tenantId.
https://login.microsoftonline.com/{tenantId}