c# - MsalException: AADSTS7000218 The request body must contain the following parameter: client_assertionu0027 or client_secret

I am following this tutorial:

and copypasted the example of my previously made App just like that:

string[] scopes = new string[] { "user.read" };

var app = PublicClientApplicationBuilder.Create("YOUR_CLIENT_ID")
    .WithDefaultRedirectUri()
    .Build();

var accounts = await app.GetAccountsAsync();

AuthenticationResult result;
try
{
    result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
      .ExecuteAsync();
}
catch (MsalUiRequiredException)
{
    result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
}

However I get this error:

{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: \u0027client_assertion\u0027 or \u0027client_secret\u0027.,
  "error_codes": [
    7000218
  ],
  "error_uri": "\u003d7000218"
}

I tried, among other things, turning

Allow public client flows

On my App, but it does not work. I am confused ; I should NOT require a secret.

Here is my manifest:

{
    "id": "id",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "id",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "Date",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "mzname",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "Restrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "domain",
    "replyUrlsWithType": [
        {
            "url": ";,
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            //things...
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

I am following this tutorial:

https://learn.microsoft/en-us/entra/identity-platform/scenario-desktop-acquire-token-interactive?tabs=dotnet

and copypasted the example of my previously made App just like that:

string[] scopes = new string[] { "user.read" };

var app = PublicClientApplicationBuilder.Create("YOUR_CLIENT_ID")
    .WithDefaultRedirectUri()
    .Build();

var accounts = await app.GetAccountsAsync();

AuthenticationResult result;
try
{
    result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
      .ExecuteAsync();
}
catch (MsalUiRequiredException)
{
    result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
}

However I get this error:

{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: \u0027client_assertion\u0027 or \u0027client_secret\u0027.,
  "error_codes": [
    7000218
  ],
  "error_uri": "https://login.microsoftonline/error?code\u003d7000218"
}

I tried, among other things, turning

Allow public client flows

On my App, but it does not work. I am confused ; I should NOT require a secret.

Here is my manifest:

{
    "id": "id",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "id",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "Date",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "mzname",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "Restrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "domain",
    "replyUrlsWithType": [
        {
            "url": "https://login.microsoftonline/common/oauth2/nativeclient",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            //things...
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

• c#
• azure
• microsoft-graph-api

Share Improve this question Follow edited Mar 4 at 9:03 prgrm asked Mar 3 at 15:57 prgrmprgrm 3,8341515 gold badges4848 silver badges8989 bronze badges 1

• 1 Hi @prgrm Could you include your app registration's Authentication tab Portal screenshot to check in what platform you added redirect URI? – Sridevi Commented Mar 4 at 11:45

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

The error occurs if you add redirect URI in platform other than "Mobile & desktop applications" while using interactive flow with public client flow option enabled.

Initially, I too got same error when I added redirect URI in Web platform and tried to generate token with interactive flow:

To resolve the error, remove redirect URI from Web platform and add http://localhost under "Mobile & desktop applications" platform for interactive flows like this:

When I ran the code again after making above change, I got the access token successfully after user authentication:

using Microsoft.Identity.Client;

class Program
{
    static async Task Main(string[] args)
    {
        string clientId = "appId";
        string[] scopes = new string[] { "User.Read" };

        var app = PublicClientApplicationBuilder.Create(clientId)
            .WithDefaultRedirectUri()
            .Build();

        try
        {
            AuthenticationResult result = await AuthenticateAsync(app, scopes);
            Console.WriteLine($"Access Token: {result.AccessToken}");
        }
        catch (MsalServiceException ex)
        {
            Console.WriteLine(ex.ResponseBody); 
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Error: {ex.Message}");
        }
    }

    static async Task<AuthenticationResult> AuthenticateAsync(IPublicClientApplication app, string[] scopes)
    {
        var accounts = await app.GetAccountsAsync();
        AuthenticationResult result;

        try
        {
            result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync();
        }
        catch (MsalUiRequiredException)
        {
            result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
        }

        return result;
    }
}

Response:

If the error still persists, try creating new application and make sure to add redirect URI as http://localhost in "Mobile & desktop applications" platform.

Reference:

c# - AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret' - Stack Overflow by me