Invalid_client: 700027 - [2022-11-21 20:59:40Z]: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Kira 21 Reputation points
2022-11-23T04:30:57.033+00:00

Language : Typescript
Library : MSAL authentication library
SNI Pinning enabled : YES

Error trace :
invalid_client: 700027 - [2022-11-21 20:59:40Z]: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '5B65BC1B889DCFFBA6111F2B6A61F2ED40B300C9', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ''. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used.

Code Implementation :

public async setAccessToken() : Promise<string | undefined> { 

    var authorityHostUrl = Constant.AuthorityHostUrl;  
    var tenant = this.config?.DomainTenantId;  
    var authorityUrl = authorityHostUrl + '/' + tenant;  
    var resourceUri = this.config!.ServiceEndpointUrl;  
  
    const clientConfig = {  

        auth: {  

            clientId: this.config!.ClientId!,  
            authority: authorityUrl,  
            clientCertificate: {  

                thumbprint: this.config!.AuthCertThumbprint!,  
                privateKey: this.config!.AuthPrivateKey!,  
                x5c: this.SNIPinningFlag  
            }  
        }  
    };  
  
    const cca = new Msal.ConfidentialClientApplication(clientConfig);  
    var gatewayScope = resourceUri + Constant.APIAccessDefaultScope;  
    const clientCredentialRequest = {  

        scopes: [gatewayScope]  
    };  
  
    await cca.acquireTokenByClientCredential(clientCredentialRequest).then((response) => {  

        this.accessToken = response?.accessToken!;  
    }).catch((error) => {  

        console.log(ExceptionMessages.TokenAcquiringError);  
        throw error;  
    });  

    return Constant.Success;  
}
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
Accepted answer
  1. Shweta Mathur 27,381 Reputation points Microsoft Employee
    2022-11-24T06:32:33.9+00:00

    Hi @Kira ,

    Thanks for reaching out.

    This error usually comes when the certificate used to sign the assertion was not found in your application.

    x5c is the optional X.509 certificate chain used in subject name/issuer auth scenarios which allows an app to authenticate using a public certificate.

    Refer here to set the the string from your pem encoded certificate to MSAL configuration object in the clientCertificate.x5c field in addition to providing both clientCertificate.thumbprint and clientCertificate.privateKey

    Hope this will help.

    Thanks,
    Shweta

    ----------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest