.WithCertificate with /common audience scenario is broken

Which Version of MSAL are you using ? <PackageReference Include="Microsoft.Identity.Client" Version="2.7.0" />

Platform netcore 2.2

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO

Code based on this sample https://github.com/microsoftgraph/aspnetcore-connect-sample

Is this a new or existing app? It’s a new app, I took created a new empty dotnet core web application and took the code from the above sample as an inspiration.

Repro

// Azure options method
// ClientCredentials with Key when filled and with certificate when not filled (both created in te portal correctly!!)
public ClientCredential GetClientCredential() {
    if(!string.IsNullOrEmpty(ClientSecret)) return new ClientCredential(ClientSecret);
    if(!string.IsNullOrEmpty(CertificateThumbprint)) {
        X509Certificate2 cert = GetCertificate();
        if(cert != null)
            return new ClientCredential(new ClientAssertionCertificate(cert));
    }
    throw new ArgumentException("No client secret or certificate configured");
}
// Actual code.
var cca = new ConfidentialClientApplication(
    _azureOptions.ClientId,
    _azureOptions.GetAuthority(),
    redirecUrl,
    _azureOptions.GetClientCredential(),
    new Helpers.SessionTokenCache(identifier, memoryCache).GetCacheInstance(),
    null);

var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);

Expected behavior Get an accesstoken

Actual behavior Exception thrown (when certificate set)

"AADSTS700023: Client assertion audience claim does not match Realm issuer.
Trace ID: 36e0fa3f-437e-45b5-825e-472930cc7100
Correlation ID: fa45528a-9bde-4eaa-9fd1-ab7c44d15348
Timestamp: 2019-02-18 22:35:46Z"

Access Token when the secret is set. (To check the client is created correctly and it doesn’t have anything to do with redirect uri, invalid client…)

Possible Solution It seems like the ClientAssertionCertificate doesn’t accept an ClientID anymore. And according to this page the client ID should be in the assertion.

In the past it did accept a ClientID as shown in the “test code” from earlier.

So I would expect the ClientAssertionCertificate to have an new ClientAssertionCertificate(string clientId, X509Certificate2 certificate) constructor.

Additional context/ Logs / Screenshots The following code isn’t working anymore, and I cannot find when it would be removed. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/28473ce9460cfbeb191df346db565926d044f2e7/tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs#L145