Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Enhancement][L] ConfidentialClient does not support ECDsa client application certificates.
See original GitHub issueWhich Version of MSAL are you using ? 4.30
Platform APSNETCORE 5.0
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Daemon App
- Service to Service calls
Other? - please describe;
Is this a new or existing app? existing Repro
- Register an AzureAD confidential client application with a certificate using ECDsa
- Create an instance on the ConfidentialClient
- Try and acquire an OBO token
var onBehalfOfClientApplication = await this.oauthTokenProvider.BindAsync(accountId, this.TenantId).ConfigureAwait(false);
var oboResult = await onBehalfOfClientApplication
.AcquireTokenOnBehalfOf(oauthScopes, userAssertion)
.ExecuteAsync().ConfigureAwait(false);
Expected behavior A token.
Actual behavior
System.NotSupportedException: The certificate key algorithm is not supported.
at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
at Microsoft.Identity.Client.Platforms.netcore.NetCoreCryptographyManager.SignWithCertificate(String message, X509Certificate2 certificate)
at Microsoft.Identity.Client.Internal.ClientCredentialWrapper.Sign(ICryptographyManager cryptographyManager, String message)
at Microsoft.Identity.Client.Internal.JsonWebToken.Sign(ClientCredentialWrapper credential, Boolean sendCertificate)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialHelper.CreateClientCredentialBodyParameters(ICoreLogger logger, ICryptographyManager cryptographyManager, ClientCredentialWrapper clientCredential, String clientId, AuthorityEndpoints endpoints, Boolean sendX5C)
at Microsoft.Identity.Client.OAuth2.TokenClient.AddBodyParamsAndHeaders(IDictionary`2 additionalBodyParameters, String scopes)
at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(String tokenEndpoint, IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenOnBehalfOfParameters onBehalfOfParameters, CancellationToken cancellationToken)
at Chorus.Services.Application.ChorusServerApplication.AssignTenantOwnerAsync(TenantOptions tenantOptions, AuthenticationResult authenticationResult, TrackedTelemetry trackedTelemetry, CancellationToken cancellationToken) in C:\Ossiaco\chorus\src\Chorus.Services\src\Application\ChorusServerApplication.cs:line 94
at Chorus.Services.Configure.Azure.ChorusResourceManager.<>c__DisplayClass12_1.<<ConfigureChorusApplicationAsync>b__2>d.MoveNext() in C:\Ossiaco\chorus\src\Chorus.Services.Configure\src\Azure\ChorusResourceManager.cs:line 374
Issue Analytics
- State:
- Created 2 years ago
- Comments:16 (7 by maintainers)
Top Results From Across the Web
Is it Time for ECDSA Certificates?
But while ECDSA certificates were not widely implemented at first, most clients now have support for ECDSA certificates.
Read more >Cisco AnyConnect Secure Mobility Client Administrator ...
ECDSA CA certificates in the network profile (PEM encoded) are supported. Server's ECDSA certificate chain verification is supported. Single ...
Read more >mutual TLS fails when using ECDSA - Microsoft Q&A
I have an Azure Web App configured to accept client certificates for authentication (mTLS). ... The certificates I use are ECDSA signed.
Read more >16.1 Enabling Suite B in a New Installation
When the CA Certificate Server is in Suite B mode, the CA does not allow you to create ... ensure that the server...
Read more >SSL Traffic Management - MyF5 | Support - F5 Networks
When you want the BIG-IP system to process application traffic over SSL, ... This ensures that a new client certificate is used for...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I haven’t actually had the time to look into using Signed Assertions. For the moment I reverted the application certificate back to self-signed RSA. If this gets implemented in the upcoming weeks, then I will go back to using my PKI ECDsa certificates.
@fuocor We just came to know from ests that ECDsa certs are not supported by them. They only support RSA certs. Closing this issue as we will not be able to support ECDsa certs.