Share via

Fix error AADSTS7000218 when trying to get authentication token via acquire_token_interactive method of PublicClientApplication class

Ourain 5 Reputation points
2025-04-01T08:04:18.76+00:00

Hello,

I am currently trying to automate a task via a script (no gui, no web app interface) in python. I'm trying to get an authentication token to interact with the Graph API using the MSAL library but I keep getting the following error:

Error: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

I have already tried the solutions available online (enable "Allow public client flows" or use https://login.microsoftonline.com/common/oauth2/nativeclient as a redirect uri instead of http://localhost) and none have worked.

I should add that upon running my script I do get a window that opens in my navigator saying "authentication succeeded".

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,482 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,316 Reputation points
    2025-04-02T07:43:48.0366667+00:00

    Hi @Ourain

    It depends on the authentication flow you are using. For delegation flows, such as "auth code flow" or "ROPC flow", they do support public client apps. After enabling public client flow for the app, you don't need to provide a client secret.

    User's image

    But for client credentials flow, it only supports confidential client apps, and you must provide a client secret.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments
  2. Rukmini 1,171 Reputation points Microsoft External Staff
    2025-04-16T09:28:53.1366667+00:00

    Hello @Ourain,

    I understand that you get authentication token via acquire_token_interactive but it is asking for client secret whereas it must not throw an error.

    The error occurs due to the configuration issue in Microsoft Entra ID application.

    To resolve the error, make sure that the Microsoft Entra ID application is configured as below:

    For sample, I used redirect URL as http://localhost under Mobile and desktop applications:

    enter image description here

    And make sure to enable "Enable the following mobile and desktop flows:" as YES:

    enter image description here

    I used the below code to acquire token interactively:

    
from msal import PublicClientApplication

CLIENT_ID = "ClientID"

AUTHORITY = "https://login.microsoftonline.com/TenantID"

app = PublicClientApplication(

    client_id=CLIENT_ID,

    authority=AUTHORITY

)

scopes = ["User.Read"]

result = app.acquire_token_interactive(scopes=scopes)

if "access_token" in result:

    print("Access token:\n", result["access_token"])

else:

    print("Failed to acquire token:")

    print(result.get("error"))

    print(result.get("error_description"))

    enter image description here

    Access token generated successfully:

    enter image description here

    • Make sure you're using PublicClientApplication, not ConfidentialClientApplication
    • Verify your app registration allows public client flows
    • Use the correct redirect URI (nativeclient)
    • Don't send client_secret or client_assertion
    • If still the issue persists, ensure that the client ID used in your application matches the one registered in Azure.

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

    User's image

    If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.