Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
MSAL ConfidentialClientApplication using SNI (x5c) throwing "AADSTS700027: Client assertion contains an invalid signature"
See original GitHub issueCore Library
MSAL Node (@azure/msal-node)
Core Library Version
1.1.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
I’m having trouble acquiring a first-party AAD token using msal-node using SNI. I followed the example in the documentation but I keep getting an unhelpful error message.
"invalid_client: 700027 - [2021-06-10 22:21:00Z]: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '3BAFFDE57ADC4ABB93374403C529DD84776E9B0F', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '9edfcdd9-0bc5-4bd4-b287-c3afc716aac7'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft-ppe.com/beta/applications/9edfcdd9-0bc5-4bd4-b287-c3afc716aac7']\r\nTrace ID: 60dec111-cbde-4d7b-8781-72e62a760500\r\nCorrelation ID: 6fe920bc-4850-4137-849e-7e4046b86753\r\nTimestamp: 2021-06-10 22:21:00Z - Correlation ID: 6fe920bc-4850-4137-849e-7e4046b86753 - Trace ID: 60dec111-cbde-4d7b-8781-72e62a760500"
I verified we are passing in a valid secret, thumbprint, and x5c certificate for the request but I continue to get the error. We attempted to get a token using ADAL and @azure/identity libraries and had no problem with it. I’m not sure what the next steps are for attempting to debug this issue. Below is a snippet of the code.
MSAL Configuration
No response
Relevant Code Snippets
const resource = 'https://serviceidentity.azure-int.net/';
const authorization = 'https://login.windows-ppe.net/5D929AE3-B37C-46AA-A3C8-C1558902F101';
const applicationId = '9edfcdd9-0bc5-4bd4-b287-c3afc716aac7';
const aadCert = '';
const aadCertThumb = '';
const aadPublicCert = '';
await new msal.ConfidentialClientApplication({
auth: {
clientId: applicationId,
authority: authorization,
clientCertificate: {
thumbprint: aadCertThumb,
privateKey: Buffer.from(aadCert, 'base64').toString(),
x5c: Buffer.from(aadPublicCert, 'base64').toString()
}
}
}).acquireTokenByClientCredential({
scopes: [`${resource}.default`],
})
Identity Provider
Azure AD / MSA
Source
Internal (Microsoft)
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We figured that this is a usage issue, windows is inserting
carriage returnif thex5cis initiated a certain way invalidating it on the server end. We plan to document this for now, and work with the server team to see if this is something they can address. cc @derisen for documenting this.@r-delgadillo This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.