Issue
This Content is from Stack Overflow. Question asked by Paula Code
I am having the following problem:
Exception: OAuth token endpoint failure: Status:
Body: {“error”:”invalid_client”,”error_description”:”AADSTS700025: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented}.
I am using the Microsoft.AspNetCore.Authentication.Microsoft Account library
Program file
builder.Services.AddAuthentication()
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.LoginPath = "/page";
options.LogoutPath = "/page";
options.AccessDeniedPath = "/page?code={0}";
options.ExpireTimeSpan = TimeSpan.FromMinutes(tiempoDeSesion);
options.Cookie.Name = ".CookieName.Sec";
options.SlidingExpiration = true;
})
.AddMicrosoftAccount(microsoftOptions =>
{
microsoftOptions.ClientId = builder.Configuration["AzureAd:ClientId"];
microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];
microsoftOptions.CallbackPath = new PathString("/signin-microsoft-token");
microsoftOptions.AuthorizationEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize";
microsoftOptions.TokenEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token";
microsoftOptions.Scope.Add("https://graph.microsoft.com/user.read");
microsoftOptions.SaveTokens = true;
microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Name, "displayName");
microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "givenName");
microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Surname, "surname");
microsoftOptions.ClaimActions.MapCustomJson(ClaimTypes.Email,
user => user.GetString("mail") ?? user.GetString("userPrincipalName"));
});Solution
The error "AADSTS700025: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented" usually occurs if you are using Public Client Application and passing the client_secret to generate the access token.
You can verify whether your application is Public client or not like below:
Mobile and desktop applications are Public Client. If you want your Azure AD Application as public, then you can avoid giving client_secret parameter by excluding the below line in the code:
microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];
After excluding the client_secret, try generating the access token.
If you want your application as Confidential, then make sure to change your existing Azure AD Application/Create new Azure AD Application as WEB like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication -> Save
This configuration will make you Azure AD Application as confidential and you can pass client_secret to generate access token.
I tried to reproduce the same in my environment via Postman and got the access token successfully for Web application like below:
POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Please note that public applications are restricted, and they cannot pass any secrets.
Reference:
Public and confidential client apps (MSAL) – Microsoft Entra
This Question was asked in StackOverflow by Paula Code and Answered by Rukmini It is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.