WIF still requires client secret

Question

WIF still requires client secret

Geo Cheng 30

I set up WIF (GCP -> Azure authentication) with a federated credential, enabled “Allow public client flows”, and are using urn:ietf:params:oauth:grant-type:jwt-bearer, but Azure AD still requires a client_secret.

Here's the Correlation ID: 079b7a59-1d58-4467-bf44-e4ece63ce5ed and Trace ID: 'e034c167-9fb3-4afc-9b15-c9cf7e161200' from the latest error.

Can you please check for the application in question (gcp-azure-connector, or ID 5e042850-28d3-4f19-b4de-6b9936c08041) on why it still requires client_secret for WIF auth?

e.g. internal tenant policies, permission logs, or propagation issues that might be blocking WIF from working without client secret

SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-20T09:08:46.5166667+00:00

Hello Geo Cheng,

Could you check and confirm what platform your redirect URI is configured in your Azure AD app registration? If possible, please add Authentication tab image of your Azure app registration to check redirect URI field and “Allow public client flows” option.
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-21T00:49:04.6933333+00:00

Hello Geo Cheng,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.

Geo Cheng 30

@SrideviM sorry for the late reply I was working on another project and didn't expect such prompt response which I really appreciate! I will turnaround much faster now.

I tried to configure the redirect URI, but am not sure how, since on my GCP VM that's trying to authenticate with azure doesn't have a webserver running, it's just a python script trying to authenticate, thus a redirect URI such as http://gcp.vm.ip.add:8080/ would not be available. Could you provide further info on how to set this up if it's indeed necessary, as I've seen it stated as such for OpenID Connect auth, which I seem to be using?

Here's the actual error when I ran the script:

{'error': 'invalid_client', 'error_description': "AADSTS7000219: 'client_assertion' or 'client_secret' is required for the 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant type. Trace ID: 5651c65a-e43d-4319-bc6f-26ded5ec8600 Correlation ID: 2ad49307-e741-4746-9774-0e4d28614791 Timestamp: 2025-03-25 20:54:09Z", 'error_codes': [7000219], 'timestamp': '2025-03-25 20:54:09Z', 'trace_id': '5651c65a-e43d-4319-bc6f-26ded5ec8600', 'correlation_id': '2ad49307-e741-4746-9774-0e4d28614791'}

See script here:

import requests as http_requests

# Fetch GCP token
gcp_response = http_requests.get(
    "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=//iam.googleapis.com/projects/3xxxxxxxxxx9/locations/global/workloadIdentityPool
s/azure-ad-pool-1/providers/azure-ad-provider-1",
    headers={"Metadata-Flavor": "Google"}
)
gcp_token = gcp_response.text
print(f"GCP Token: {gcp_token}")

# Exchange with Azure AD
azure_response = http_requests.post(
    "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token",
    headers={"Content-Type": "application/x-www-form-urlencoded"},
    data={
        "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "client_id": "{app_id}",
        "assertion": gcp_token,
        "scope": "https://management.azure.com/.default",
        "requested_token_use": "on_behalf_of"
    }
)

if azure_response.status_code == 200:
    azure_ad_token = azure_response.json()["access_token"]
    print(f"Azure AD Token: {azure_ad_token}")
else:
    print(f"Azure AD Error: {azure_response.json()}")
    exit(1)

# Test the token
headers = {'Authorization': f'Bearer {azure_ad_token}'}
response = http_requests.get(
    "https://management.azure.com/subscriptions?api-version=2020-01-01",
    headers=headers
)
print(response.json())

Note that if I replaced the block of "# Exchange with Azure AD" with this, it WOULD work, but that's not what I want as it still involves actual client secrets:

# Exchange with Azure AD
azure_response = http_requests.post(
    "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token",
    headers={"Content-Type": "application/x-www-form-urlencoded"},
    data={
        "grant_type": "client_credentials",
        "client_id": "{appid}",
        "client_secret": "",  # Add your secret here
        "assertion": gcp_token,
        "scope": "https://management.azure.com/.default"
    }
)

SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-26T02:30:21.1533333+00:00

Hello Geo Cheng,

Could you share more details on how this setup was configured? Specifically, any documentation you followed and a diagram of the authentication flow. This will help us reproduce the issue and troubleshoot effectively.
Geo Cheng 30 Reputation points

2025-03-26T04:48:21.2333333+00:00

I provided those trace_id and correlation_id in the error message - are you able to find some glues from the azure server side?

Here are the detailed steps of what I did to setup the azure side. Let me know if you need my GCP setup steps as well. Note that I did not perform the redirect URI step 5 as grok keeps telling me it's not needed, and I don't know how to set that up anyway with a webserver that I don't have. For step 6 and 7, my cloud admin said he couldn't find a way to assign a role to an application anyway, so I wasn't able to do those 2 steps.

Summary of Steps to Reproduce AADSTS7000219 Error in GCP-to-Azure WIF Setup

Objective

The goal was to set up Workload Identity Federation (WIF) to allow a workload running on a GCP VM to authenticate to Azure AD and access Azure resources (e.g., list subscriptions) without using a client_secret. The setup uses the urn:ietf:params:oauth:grant-type:jwt-bearer grant type to exchange a GCP token for an Azure AD token. However, the process consistently resulted in the error AADSTS7000219: 'client_assertion' or 'client_secret' is required, indicating Azure AD requires client authentication despite the WIF configuration.

see screenshot for the steps, i couldn't paste them here becuz of formatting issues [removed image later for sensitive info]

Accepted answer

0 additional answers

Your answer

SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-20T09:08:46.5166667+00:00

Hello Geo Cheng,

Could you check and confirm what platform your redirect URI is configured in your Azure AD app registration? If possible, please add Authentication tab image of your Azure app registration to check redirect URI field and “Allow public client flows” option.
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-21T00:49:04.6933333+00:00

Hello Geo Cheng,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-26T02:30:21.1533333+00:00

Hello Geo Cheng,

Could you share more details on how this setup was configured? Specifically, any documentation you followed and a diagram of the authentication flow. This will help us reproduce the issue and troubleshoot effectively.
Geo Cheng 30 Reputation points

2025-03-26T04:48:21.2333333+00:00

I provided those trace_id and correlation_id in the error message - are you able to find some glues from the azure server side?

Here are the detailed steps of what I did to setup the azure side. Let me know if you need my GCP setup steps as well. Note that I did not perform the redirect URI step 5 as grok keeps telling me it's not needed, and I don't know how to set that up anyway with a webserver that I don't have. For step 6 and 7, my cloud admin said he couldn't find a way to assign a role to an application anyway, so I wasn't able to do those 2 steps.

Summary of Steps to Reproduce AADSTS7000219 Error in GCP-to-Azure WIF Setup

Objective

The goal was to set up Workload Identity Federation (WIF) to allow a workload running on a GCP VM to authenticate to Azure AD and access Azure resources (e.g., list subscriptions) without using a client_secret. The setup uses the urn:ietf:params:oauth:grant-type:jwt-bearer grant type to exchange a GCP token for an Azure AD token. However, the process consistently resulted in the error AADSTS7000219: 'client_assertion' or 'client_secret' is required, indicating Azure AD requires client authentication despite the WIF configuration.

see screenshot for the steps, i couldn't paste them here becuz of formatting issues [removed image later for sensitive info]

Answer 1

SrideviM 2,065 Microsoft External Staff

Hello Geo Cheng,

Thanks for sharing the details. It looks like Azure AD is still asking for a client secret, even though Workload Identity Federation should work without one.

This could be because Azure isn’t recognizing the GCP token correctly. Checking that the issuer, subject, and audience match what's registered in Azure under Federated Credentials might help.

It could also be an issue with the OAuth request, as Azure expects client_credentials instead of jwt-bearer. If the service principal lacks the right permissions, like Reader or Contributor access, Azure will issue a token but throws error while calling API request.

Here’s an updated version of your script that should work better:


import requests

# Get GCP token

metadata_url = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity"

audience = "//iam.googleapis.com/projects/3xxxxxxxxx9/locations/global/workloadIdentityPools/azure-ad-pool-1/providers/azure-ad-provider-1"

gcp_response = requests.get(f"{metadata_url}?audience={audience}", headers={"Metadata-Flavor": "Google"})

if gcp_response.status_code != 200:

    print(f"Error getting GCP token: {gcp_response.text}")

    exit(1)

gcp_token = gcp_response.text

# Exchange GCP token for Azure token

azure_token_url = "https://login.microsoftonline.com/tenantId/oauth2/v2.0/token"

azure_client_id = "appId"

data = {

    "grant_type": "client_credentials",

    "client_id": azure_client_id,

    "client_assertion": gcp_token,

    "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",

    "scope": "https://management.azure.com/.default"

}

azure_response = requests.post(azure_token_url, headers={"Content-Type": "application/x-www-form-urlencoded"}, data=data)

if azure_response.status_code != 200:

    print(f"Azure AD Error: {azure_response.json()}")

    exit(1)

azure_ad_token = azure_response.json()["access_token"]

# Test Azure AD token

headers = {'Authorization': f'Bearer {azure_ad_token}'}

response = requests.get("https://management.azure.com/subscriptions?api-version=2020-01-01", headers=headers)

print(response.json())

To know how to generate access token using federated credentials, you can refer this MS Article: Access Token Request with a Federated Credential.

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Geo Cheng 30 Reputation points

2025-03-26T15:37:35.1766667+00:00
amazing, that worked, thank u so much!!! apparently i made 2 mistakes:

cannot make request to azure directly, first must get a client token

the params in the initial token request are not quite named properly
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-26T16:59:52.14+00:00
Hello Geo Cheng,

Glad to hear that it’s working now! You’re right, the client token needs to be obtained first before making a request to Azure, and having the correct parameter names in the token request is really important.

Azure AD was asking for a client secret because it wasn’t recognizing the GCP token properly. The key things to check are that the issuer, subject, and audience in the GCP token exactly match what’s set up in Azure Federated Credentials.

Also, the OAuth request should use client_credentials instead of jwt-bearer. If the service principal doesn’t have the right permissions, like Reader or Contributor, Azure might issue a token but still fail when calling APIs.

Here’s the updated code that should work:

import requests # Exchange GCP token for Azure token azure_token_url = "https://login.microsoftonline.com/tenantId/oauth2/v2.0/token" azure_client_id = "appId" data = { "grant_type": "client_credentials", "client_id": azure_client_id, "client_assertion": gcp_token, "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "scope": "https://management.azure.com/.default" } azure_response = requests.post(azure_token_url, headers={"Content-Type": "application/x-www-form-urlencoded"}, data=data) if azure_response.status_code != 200: print(f"Azure AD Error: {azure_response.json()}") exit(1) azure_ad_token = azure_response.json()["access_token"] # Test Azure AD token headers = {'Authorization': f'Bearer {azure_ad_token}'} response = requests.get("https://management.azure.com/subscriptions?api-version=2020-01-01", headers=headers) print(response.json())

For more details on generating an access token using federated credentials, you can refer to this Microsoft article.

Hope this helps!

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-27T03:33:23.6566667+00:00

Hello Geo Cheng,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
SrideviM 2,065 Reputation points Microsoft External Staff

2025-03-28T02:35:31.2766667+00:00

Hello Geo Cheng,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. If your question has been solved, then you can click Accept Answer and Yes , which may help members with similar questions. Thank you very much!
Geo Cheng 30 Reputation points

2025-03-28T16:52:00.88+00:00

accepted as anwer, thanks

Share via

WIF still requires client secret

0 additional answers

Your answer