parsedmarc: msgraph DeviceCode auth reports error AADSTS7000218 despite providing client_secret

I have upgraded to ParseDMARC 8.3.0 to use msgraph authentication instead of IMAP, but UsernamePassword doesn’t seem to work (because the account has MFA enabled) and ClientSecret was getting complicated (because the account was created as a shared mailbox, though direct login is now enabled). So I would like to use DeviceCode authentication. I’ve:

  • registered ParseDMARC as as an app
  • recorded the Application (client) ID and the Directory (tenant) ID
  • assigned the Mail.ReadWrite delegated permission
  • created and recorded a Client Secret for the registered app

My INI file has [msgraph] auth_method = DeviceCode tenant_id = <tenant-id> client_id = <client-id> client_secret = <client-secret-value> mailbox = <mbox>@<domain>

When I run ParseDMARC I’m prompted to login with a code, which I do as <user>@<domain>, including MFA, and I accept to access ParseDMARC. But when I close the login window ParseDMARC exits with a long error stream that starts DeviceCodeCredential.get_token failed: Authentication failed: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: b0378a2c-560e-44a2-8420-141397fcbe00 Correlation ID: e1c56f5d-c66d-48d8-8b47-717d151b205b Timestamp: 2022-06-30 05:52:13Z Content: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: b0378a2c-560e-44a2-8420-141397fcbe00\r\nCorrelation ID: e1c56f5d-c66d-48d8-8b47-717d151b205b\r\nTimestamp: 2022-06-30 05:52:13Z","error_codes":[7000218],"timestamp":"2022-06-30 05:52:13Z","trace_id":"b0378a2c-560e-44a2-8420-141397fcbe00","correlation_id":"e1c56f5d-c66d-48d8-8b47-717d151b205b","error_uri":"https://login.microsoftonline.com/error?code=7000218"} and then repeats 2 variants of the same info.

My INI file provides the client_secret value, and ParseDMARC errors out if it’s not there. So is ParseDMARC not providing it for some reason, or is there something else I might have missed?

Thanks.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (5 by maintainers)

Most upvoted comments

Thanks, but I see that I’d mixed up the history on what I’d tried here. You’re right, it was UsernamePassword flow that failed due to MFA.

I then tried ClientSecret flow, but that failed because this mailbox was created as a shared mailbox (though I later enabled logons to allow direct IMAP access) and the mailbox was not accepted in the New-ApplicationAccessPolicy command because a shared mailbox cannot be a security principal.

At that point I thought it might be quicker to configure DeviceCode flow than de-sharify the mailbox.

Since you’ve bundled the batch size fix (needed regardless of flow) with the token cache fix, hopefully it will be easiest for me to stick with DeviceCode flow here.

+1
jdghub on Jul 25, 2022
Read more comments on GitHub
← dolt: MYSQL_DATA_TRUNCATED error when using C API
Swashbuckle.AspNetCore: [5.0.0] Combination of XElement & relative swagger endpoint causes recursion and errors in swagger ui →