Language : Typescript
Library : MSAL authentication library
SNI Pinning enabled : YES
Error trace :
invalid_client: 700027 - [2022-11-21 20:59:40Z]: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '5B65BC1B889DCFFBA6111F2B6A61F2ED40B300C9', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ''. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used.
Code Implementation :
public async setAccessToken() : Promise<string | undefined> {
var authorityHostUrl = Constant.AuthorityHostUrl;
var tenant = this.config?.DomainTenantId;
var authorityUrl = authorityHostUrl + '/' + tenant;
var resourceUri = this.config!.ServiceEndpointUrl;
const clientConfig = {
auth: {
clientId: this.config!.ClientId!,
authority: authorityUrl,
clientCertificate: {
thumbprint: this.config!.AuthCertThumbprint!,
privateKey: this.config!.AuthPrivateKey!,
x5c: this.SNIPinningFlag
}
}
};
const cca = new Msal.ConfidentialClientApplication(clientConfig);
var gatewayScope = resourceUri + Constant.APIAccessDefaultScope;
const clientCredentialRequest = {
scopes: [gatewayScope]
};
await cca.acquireTokenByClientCredential(clientCredentialRequest).then((response) => {
this.accessToken = response?.accessToken!;
}).catch((error) => {
console.log(ExceptionMessages.TokenAcquiringError);
throw error;
});
return Constant.Success;
}