[SOLVED] Azure AD Microsoft Account Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented


This Content is from Stack Overflow. Question asked by Paula Code

I am having the following problem:

Exception: OAuth token endpoint failure: Status:
Body: {“error”:”invalid_client”,”error_description”:”AADSTS700025: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented}.

I am using the Microsoft.AspNetCore.Authentication.Microsoft Account library

Program file

.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
    options.LoginPath = "/page";
    options.LogoutPath = "/page";
    options.AccessDeniedPath = "/page?code={0}";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(tiempoDeSesion);
    options.Cookie.Name = ".CookieName.Sec";
    options.SlidingExpiration = true;
.AddMicrosoftAccount(microsoftOptions =>
    microsoftOptions.ClientId = builder.Configuration["AzureAd:ClientId"];
    microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];
    microsoftOptions.CallbackPath = new PathString("/signin-microsoft-token");
    microsoftOptions.AuthorizationEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize";
    microsoftOptions.TokenEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token";
    microsoftOptions.SaveTokens = true;
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Name, "displayName");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "givenName");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Surname, "surname");
                                   user => user.GetString("mail") ?? user.GetString("userPrincipalName"));


The error "AADSTS700025: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented" usually occurs if you are using Public Client Application and passing the client_secret to generate the access token.

You can verify whether your application is Public client or not like below:

enter image description here

Mobile and desktop applications are Public Client. If you want your Azure AD Application as public, then you can avoid giving client_secret parameter by excluding the below line in the code:

microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];

After excluding the client_secret, try generating the access token.

If you want your application as Confidential, then make sure to change your existing Azure AD Application/Create new Azure AD Application as WEB like below:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication -> Save

enter image description here

This configuration will make you Azure AD Application as confidential and you can pass client_secret to generate access token.

I tried to reproduce the same in my environment via Postman and got the access token successfully for Web application like below:

POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token

enter image description here

Please note that public applications are restricted, and they cannot pass any secrets.


Public and confidential client apps (MSAL) – Microsoft Entra

This Question was asked in StackOverflow by Paula Code and Answered by Rukmini It is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?