How to fix 'AADSTS90023: V2 tokens require asymmetric token signing credentials'?

Matyas Juhasz 0 Reputation points
2024-06-11T08:58:57.59+00:00

I have a web app using Azure AD to login users. It is using the MSAL python library to redirect users to a https://login.microsoftonline.com/(...) URL for login, then exchanging the authorization code from the call for an access token.

It was working until our last secret key expired in Azure AD, and we registered a new one.
Now the token exchange step via https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize returns the following error: 'AADSTS90023: V2 tokens require asymmetric token signing credentials'. MSAL logging shows the request to the v2.0/authorize endpoint returns code 400.

We are using the MSAL ConfidentialClientApplication class, generate the redirect URL via get_authorization_request_url and aquire the access token via acquire_token_by_authorization_code. I also tried the workflow with initiate_auth_code_flow, and registered a certificate and provided the private_key and thumbprint, everything results in the same error. We set "accesstokenAcceptedVersion": 2 (it was null when it worked), still the same error. The scopes used in our app are configured (User.Read offline_access openid profile).

What are we missing?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,135 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 470 Reputation points Microsoft Vendor
    2024-06-14T18:35:09.9966667+00:00

    Hello @Matyas Juhasz,

    Thank you for your response and confirming that your application has a symmetric customKeyIdentifier. You can remove it either from the Azure Portal or by using the PowerShell command which I shared in the previous comment.

    I believe your application might be generating an access token by utilizing a certificate. If you wish to use a client secret key to generate the access token, you can remove the symmetric certificate and try generating an access token with a client_secret. Please refer to the document for a POST request example:

    Request an Access Token with a Client Secret

    Alternatively, you can obtain an asymmetric certificate from any Certificate Authority, or you can generate a self-signed certificate by following the steps mentioned in the article below:

    How to Create a Self-Signed Certificate

    Please let me know if you need further assistance.

    Thanks & Regards,
    Raja Pothuraju.