Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@azure/msal-browser PublicClientApplication - AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

See original GitHub issue

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.12.1
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x

Framework

Angular
React
Other

Description

I have written a Flutter wrapper for the MSAL.js 2.x @azure/msal-browser library. I have followed all the guides for setting up Azure AD and the MSAL configuration for a PublicClientApplication. Using the popup login method, the dialog is correctly displayed for the right tenant/client, I can enter a valid users credentials and they validate with no problem. However, once the sign-in process completes and the popup is dismissed, I am getting the following error:

Error Message

MSAL: invalid_client:7000218 - [2021-03-20 19:32:54Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

MSAL Configuration

final auth = BrowserAuthOptions()
  ..authority = 'https://login.microsoftonline.com/$tenantId'
  ..clientId = clientId
  ..redirectUri = 'https://localhost:65411';

final configuration = Configuration()..auth = auth;
final publicClientApplication = PublicClientApplication(configuration);

...

const List<String> scopes = ['User.Read'];
final request = PopupRequest()..scopes = scopes;
final response = await widget.publicClientApplication.loginPopup(request);

Azure AD Configuration

Reproduction steps

see above

Expected behavior

I have spent hours looking through stackoverflow and git issues. The key thing missing in most cases, and which I subsequently added was the “Allow public client flows” setting in AAD. However, even after setting this to true the error is still persisting.

Any assistance on the matter would be greatly appreciated. We already have over half a dozen Flutter applications, being used by hundreds of key users, across our enterprise. We have used an MSAL.js 1.x wrapper to date but have been facing too many third-party cookie policy issues on browsers. We need a solution otherwise we may need to consider alternatives.

Any assistance, ideas, suggestions, etc would be greatly appreciated. Thanks!

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

Did this behavior work before? Version: n/a

Security

Is this issue security related?

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 3 years ago
Comments:8

Top GitHub Comments

1reaction

derisencommented, Mar 20, 2021

Cheers!

1reaction

paulpopielcommented, Mar 20, 2021

Sorry, I should have elaborated - it is a web app, i.e. Flutter Web.

On the other hand thank you so much for that URI guidance link.

Due to ephemeral port ranges often required by native applications, the port component (for example, :5001 or :443) is ignored for the purposes of matching a redirect URI.

This was the issue! removed all localhost:XXXX Uris from the Web platform in AAD and everything now works! Much much appreciated!