How to fix 'AADSTS90023: V2 tokens require asymmetric token signing credentials'?

Matyas Juhasz 0 Reputation points
2024-06-11T08:58:57.59+00:00

I have a web app using Azure AD to login users. It is using the MSAL python library to redirect users to a https://login.microsoftonline.com/(...) URL for login, then exchanging the authorization code from the call for an access token.

It was working until our last secret key expired in Azure AD, and we registered a new one.
Now the token exchange step via https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize returns the following error: 'AADSTS90023: V2 tokens require asymmetric token signing credentials'. MSAL logging shows the request to the v2.0/authorize endpoint returns code 400.

We are using the MSAL ConfidentialClientApplication class, generate the redirect URL via get_authorization_request_url and aquire the access token via acquire_token_by_authorization_code. I also tried the workflow with initiate_auth_code_flow, and registered a certificate and provided the private_key and thumbprint, everything results in the same error. We set "accesstokenAcceptedVersion": 2 (it was null when it worked), still the same error. The scopes used in our app are configured (User.Read offline_access openid profile).

What are we missing?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,309 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Raja Pothuraju 1,190 Reputation points Microsoft Vendor
    2024-06-14T18:35:09.9966667+00:00

    Hello @Matyas Juhasz,

    Thank you for your response and confirming that your application has a symmetric customKeyIdentifier. You can remove it either from the Azure Portal or by using the PowerShell command which I shared in the previous comment.

    I believe your application might be generating an access token by utilizing a certificate. If you wish to use a client secret key to generate the access token, you can remove the symmetric certificate and try generating an access token with a client_secret. Please refer to the document for a POST request example:

    Request an Access Token with a Client Secret

    Alternatively, you can obtain an asymmetric certificate from any Certificate Authority, or you can generate a self-signed certificate by following the steps mentioned in the article below:

    How to Create a Self-Signed Certificate

    Please let me know if you need further assistance.

    Thanks & Regards,
    Raja Pothuraju.


  2. Raja Pothuraju 1,190 Reputation points Microsoft Vendor
    2024-06-24T04:54:14.2366667+00:00

    Hello @Matyas Juhasz,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: How to fix 'AADSTS90023: V2 tokens require asymmetric token signing credentials'?

    Solution: After creating a new web app in Entra ID and changing client id and secret key in your python app, you are able to hit the v2.0 API again, both 'manually' and with MSAL python.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    Thanks,
    Raja Pothuraju.