.WithCertificate with /common audience scenario is broken
See original GitHub issueWhich Version of MSAL are you using ?
<PackageReference Include="Microsoft.Identity.Client" Version="2.7.0" />
Platform netcore 2.2
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Code based on this sample https://github.com/microsoftgraph/aspnetcore-connect-sample
Is this a new or existing app? It’s a new app, I took created a new empty dotnet core web application and took the code from the above sample as an inspiration.
Repro
// Azure options method
// ClientCredentials with Key when filled and with certificate when not filled (both created in te portal correctly!!)
public ClientCredential GetClientCredential() {
if(!string.IsNullOrEmpty(ClientSecret)) return new ClientCredential(ClientSecret);
if(!string.IsNullOrEmpty(CertificateThumbprint)) {
X509Certificate2 cert = GetCertificate();
if(cert != null)
return new ClientCredential(new ClientAssertionCertificate(cert));
}
throw new ArgumentException("No client secret or certificate configured");
}
// Actual code.
var cca = new ConfidentialClientApplication(
_azureOptions.ClientId,
_azureOptions.GetAuthority(),
redirecUrl,
_azureOptions.GetClientCredential(),
new Helpers.SessionTokenCache(identifier, memoryCache).GetCacheInstance(),
null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
Expected behavior Get an accesstoken
Actual behavior Exception thrown (when certificate set)
"AADSTS700023: Client assertion audience claim does not match Realm issuer.
Trace ID: 36e0fa3f-437e-45b5-825e-472930cc7100
Correlation ID: fa45528a-9bde-4eaa-9fd1-ab7c44d15348
Timestamp: 2019-02-18 22:35:46Z"
Access Token when the secret is set. (To check the client is created correctly and it doesn’t have anything to do with redirect uri, invalid client…)
Possible Solution
It seems like the ClientAssertionCertificate
doesn’t accept an ClientID anymore. And according to this page the client ID should be in the assertion.
In the past it did accept a ClientID
as shown in the “test code” from earlier.
So I would expect the ClientAssertionCertificate
to have an new ClientAssertionCertificate(string clientId, X509Certificate2 certificate)
constructor.
Additional context/ Logs / Screenshots The following code isn’t working anymore, and I cannot find when it would be removed. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/28473ce9460cfbeb191df346db565926d044f2e7/tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs#L145
Issue Analytics
- State:
- Created 5 years ago
- Comments:27 (20 by maintainers)
Top GitHub Comments
MSAL 4.3.1 released
Thanks @jennyf19 and guys!
I really liked the detailed explanation! Great fix.