Share via

After updating to Azure.Identity from 1.10 to 1.11, I can no longer authenticate console application.

Doug Mendenhall 25 Reputation points
2024-06-24T17:08:01.3666667+00:00

I have a small LOB console application that needs to authenticate against Entra ID. The console app uses an IPublicClientApplication for acquiring the token interactively (since I need an MFA claim). Doing it this way, would trigger a pop-up window to select the user. This code looks like the below and worked fine using Azure.Identity up to version 1.10.4: 

var app = PublicClientApplicationBuilder.Create(ClientAppId)
    .WithAuthority("https://login.windows.net", tenantDomain, true)
    .Build();
Microsoft.Identity.Client.AuthenticationResult? result = await app.AcquireTokenInteractive(scopes)
          .ExecuteAsync();

After updating to 1.11.x (and also 1.12.x), the same code opens the challenge in a new web browser tab and when returning to the application throws an exception: "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'."

It's a public client app which doesn't take a client secret. I've already double checked the "Allow public client flows" in my Entra App registration and my manifest includes an "allowPublicClient": true reference (as is suggested in the Stack Overflow article that seems to be THE answer for this exception). If I downgrade the NuGet package back to Azure.Identity 1.10, it works again.

I can't find any reference to breaking changes between versions. I'm not sure if this is a bug or what I can do to reconfigure my application to use the newer SDK.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,626 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
11,038 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,202 questions
0 comments
Accepted answer
  1. Ganeshkumar R 665 Reputation points
    2024-06-24T17:56:28.34+00:00

    It sounds like you're encountering an issue due to changes in the Microsoft.Identity.Client library that were introduced after version 1.10.4. Here are a few steps you can take to troubleshoot and resolve the issue:

    1. Check for Breaking Changes

    First, review the release notes for the versions of Azure.Identity and Microsoft.Identity.Client you are upgrading to. Sometimes, breaking changes or new configurations are documented there.

    2. Update Your Authority URL

    Ensure that your authority URL is set correctly. Starting from certain versions, there might be stricter checks or different handling for the authority URL. You might need to specify the tenant ID explicitly. 

    
var app = PublicClientApplicationBuilder.Create(ClientAppId)

    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)

    .Build();

    3. Configure Redirect URI

    For interactive flows, setting a redirect URI might be necessary. In some cases, the library might require explicit specification of the redirect URI even for public client applications.

    
var app = PublicClientApplicationBuilder.Create(ClientAppId)

    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)

    .WithRedirectUri("http://localhost")

    .Build();

    4. Add Logging

    Enable logging to get more detailed information about the issue. This might provide more insights into what is going wrong.

    
var app = PublicClientApplicationBuilder.Create(ClientAppId)

    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)

    .WithLogging((level, message, pii) =>

    {

        Console.WriteLine($"MSAL {level} {pii} {message}");

    }, LogLevel.Verbose, enablePiiLogging: false, enableDefaultPlatformLogging: true)

    .Build();

    5. Check App Registration

    Double-check your Azure AD app registration settings:

    • Ensure "Allow public client flows" is enabled.
    • Confirm there are no conditional access policies that might interfere.

    6. Use Interactive Token Acquisition

    Ensure that the method for acquiring tokens interactively is used correctly. Double-check the scopes you are passing and the flow itself.

    Example of Updated Code

    Here's an example of how you might update your code:

    
var app = PublicClientApplicationBuilder.Create(ClientAppId)

    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)

    .WithRedirectUri("http://localhost")

    .Build();

try

{

    var result = await app.AcquireTokenInteractive(scopes)

                         .ExecuteAsync();

    Console.WriteLine("Access Token: " + result.AccessToken);

}

catch (MsalException ex)

{

    Console.WriteLine($"Error acquiring token: {ex.Message}");

}

    7. Test with Different Versions

    If none of the above steps work, you might want to test with intermediate versions between 1.10.4 and the latest version to identify exactly where the breaking change was introduced. This can help narrow down the issue and potentially find a workaround.

    8. Raise an Issue

    If you believe this is a bug, consider raising an issue on the official Azure SDK for .NET GitHub repository or the Microsoft Identity Web GitHub repository. Provide detailed information about your setup, the issue, and any error messages.

    By following these steps, you should be able to identify the cause of the issue and find a resolution or workaround.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.