cli-microsoft365: Authenticating via certificate: 'client_assertion' should not be presented

Trying to authenticate via certificate gives me the following:

λ o365 spo login https://eurocanterbury.sharepoint.com --authType certificate --certificateFile cert.pem --thumbprint [THUMBPRINT]
Error: AADSTS700025: Client is public so 'client_assertion' should not be presented.
Trace ID: 41186365-0199-40b7-a4e5-fc8459890e00
Correlation ID: 57861a01-d3cd-4872-9376-27b287ebfb9c
Timestamp: 2019-04-25 07:38:27Z

I have had this on multiple tenants.

I’m not sure which parts of the AD app are relevant, but here’s a few things from the manifest:

"allowPublicClient": false,
"replyUrlsWithType": [
		{
			"url": "https://login.microsoftonline.com/common/oauth2/nativeclient",
			"type": "Web"
		}
	],
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,

Let me know if you need to see more of the config.

I have already granted admin consent for the application.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (10 by maintainers)

Most upvoted comments

@nikagarwal25 have you tried setting Public Client to No see: https://github.com/pnp/office365-cli/issues/948#issuecomment-487145809

+2
phillipharding on Oct 11, 2019

Hm, I tried that first but it didn’t work initially. I’ve just tried it again and it worked though, so thanks.

I suppose it makes sense - I saw the PnP application uses delegated permissions, but that signs in as a user, where as this signs in as an app.

Everything seems to be working now, so many thanks!

+2
JakeStanger on Apr 29, 2019

Post the command and your app registration config and somebody might be able to.

+1
JakeStanger on Oct 10, 2019

Thank you! I’ll have a look asap

+1
waldekmastykarz on Apr 25, 2019

Here’s everything we’ve done as far as I can remember:

  • Go to Azure portal > AAD app registrations (preview)
  • Create new application, leave account types as default, add dummy web redirect URI
  • Add API permissions for SharePoint
  • Generate certificates using PS scripts from MS docs
  • Use OpenSSL to convert the encrypted PFX into a decrypted pem file for use with the O365 tool
  • Copy the key credentials from the PS script output into the manifest as per the documentation
  • Visit https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<application id>&state=12345as per the docs, and grant permissions to the application
  • Attempt to log in using O365 tool using the command in my original post
  • Try all combinations of enabling access tokens, ID tokens, changing the supported account type, and making the client public, trying the command again for each combination
  • Remove the web redirect URL and add the nativeclient redirect URL as a public client
  • Changing the supplied thumbprint (I guess it validates this next so it’s not getting this far)

As it currently stands:

  • The application is public
  • Access and ID token grant flow is enabled
  • Supported account types is set to Account sin this organizational directory only
  • The redirect URL is https://login.microsoftonline.com/common/oauth2/nativeclient for public clients
+1
JakeStanger on Apr 25, 2019
Read more comments on GitHub
← cli-microsoft365: 1.11.0 gulp package-solution --ship error
cli-microsoft365: Bug report - 'spo site remove' - Removing sites and groupified sites does not work correctly →