Share via

AzureAd/Sahrepoint connexion - Invalid client secret error in Access token request with a certificate

Mickaël DELANOE 0 Reputation points
2023-08-08T15:51:10.2966667+00:00

HI,

I try to establish connexion to Sharepoint API with Azure AD client/user app.

So I ask an authToken with certificate method (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate). In this method, there is no client_secret parameter, so I do not understand why I got an error for invalid client_secret ??

My error:

AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app with jwt

Nota:

If I do an authToken request with a shared secret (First Case), I got a well response and an authToken. unfortunately, Sharepoint API not recognize this kind of authToken (according web researchs).

Thinks for your help.

Best Regards

Microsoft 365 and Office | SharePoint | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-08-29T07:33:21.79+00:00

    Hello @Mickaël DELANOE , as you already found out, SharePoint only accepts app access tokens requested with a client certificate, not a client secret. You can find confirmation about the former in the Granting access via Azure AD App-Only FAQ. Alos, take a look to Crafting the asssertion for ways to create the assertion in .NET.

    Finally, consider moving to MS Graph SharePoint backed endpoints (aka SharePoint REST API v2). You can use access tokens requested with client secrets.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    2 people found this answer helpful.
  2. Mickaël Delanoë 5 Reputation points
    2023-09-27T10:17:25.17+00:00

    So, after some exchanges, test, ..., even I do not still connected to my sharepoint, my understanding is

    Sharepoint have 2 APIs

    • API v1 : Accessing by ??
      • Request an accessToken to ... 
            - Request SP v1 API (with our accessToken)
    • API v2 : Accessing by MS Graph
      • Request an accessToken to MS Graph
        • Request for SP API to MS Grpah (with our accessToken)
          • MS Graph transfert the request to SP API v2 (with its own accessToken)

    The old way : Using SharePoint REST API V1

    • This is an old way using SharePoint REST API V1
    • The follow point is right (only for SP v1 API)

    If you try to use an app-only access token obtained using client id and client secret, SharePoint Online will return the following error: Unsupported app only token.

    • I tried to build an JWT, ... but I left this way for the next

    The new way : Using MS Graph (SP v2 API)

    • This is a new way using selected MS Graph endpoints (AKA SharePoint REST API V2)
    • We can use Client id/secret methode to acquiring access tokens for APIs
    • For the accessToken request, we have to use the Scope : https://graph.microsoft.com/.default
    • Now, I got a new error 
    {
    "error":{
        "code":"AccessDenied",
        "message":"Either scp or roles claim need to be present in the token.",
        "innerError":{
            "date":"2023-09-25T07:56:11",
            "request-id":"f043a5d1-f03b-41c5-a482-2cd5ffd6ba49",
            "client-request-id":"f043a5d1-f03b-41c5-a482-2cd5ffd6ba49"
        }
    }
}

    But maybe it's not any more the same issue as first, so maybe, this issue can be closed.

    1 person found this answer helpful.
  3. RaytheonXie_MSFT 40,486 Reputation points Microsoft External Staff
    2023-08-09T02:22:45.9733333+00:00

    Hi @Mickaël DELANOE

    The error message "AADSTS7000215: Invalid client secret provided." means that the client secret is incorrect or expired either in the app registration or in a different reference.

    To resolve this issue, you should validate that your app registration has the correct value recorded for the client secret and ensure that all of the following values are correctly configured:

    239675-image.png

    You could make sure that you're passing the client_secret using a web app or web API, it shouldn't be used in a native app, because client_secrets can't be reliably stored on devices. For more info - Get access and refresh tokens.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Tidiane Diallo 0 Reputation points
    2024-03-18T09:22:51.66+00:00

    Hi @Alfredo Revilla (Ex-MSFT)

    I want to create a postman colection and access my endpoints with MS Grapg, CRUD sites and lists with a Token and it works well.

    I wanted to do a CRUD operation with the REST api V1 sharePoint, I created a certification but I’m blocked on how to use the certificate to access the token to access the SharePoint and create a list or site.

    Thank you for help

    0 comments
  5. Tidiane Diallo 0 Reputation points
    2024-03-18T13:52:14.89+00:00

    HI Alfredo Revilla (Ex-MSFT), well thank you of lot

    my problem is how to use the certificate to access the Sharepoint token and get the sites with permission Sites.selected

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.