bbqchickenrobot
Reputation: 3709
Missing Client Secret or Client Certificate
MsalClientException: IDW10104: Both client secret and client certificate cannot be null or whitespace, and only ONE must be included in the configuration of the web app when calling a web API. For instance, in the appsettings.json file.
Microsoft.Identity.Web.MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(string clientSecret, IEnumerable<CertificateDescription> cert)
Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeReceivedContext context, IEnumerable<string> scopes)
Microsoft.Identity.Web.MicrosoftIdentityWebAppAuthenticationBuilder+<>c__DisplayClass11_1+<<WebAppCallsWebApiImplementation>b__1>d.MoveNext()
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
This occurs after a successful sign-in via Azure AD. I have passed in the client secret as well (via user-secrets and appSettings). For source code reference, I am using the following example project:
https://github.com/damienbod/AspNetCoreUsingGraphApi
Upvotes: 2
Views: 14967
Answers (1)
Jim Xu
Reputation: 23141
If you want to call web api projected by AzureAD in web app, please refer to the following steps
appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
"TenantId": "common"
// To call an API
"ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
},
"MyApi": {
"BaseUrl": "https://graph.microsoft.com/beta",
"Scopes": "user.read"
}
}
startup.cs
using Microsoft.Identity.Web;
public class Startup
{
// ...
public void ConfigureServices(IServiceCollection services)
{
// ...
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration, "AzureAd")
.EnableTokenAcquisitionToCallDownstreamApi(new string[]{"" })
.AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApi"))
.AddInMemoryTokenCaches();
// ...
}
// ...
}
- call api
[Authorize]
public class HomeController : Controller
{
readonly ITokenAcquisition tokenAcquisition;
public HomeController(ITokenAcquisition tokenAcquisition)
{
this.tokenAcquisition = tokenAcquisition;
}
[AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
// Acquire the access token.
string[] scopes = new string[]{"user.read"};
string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
// Use the access token to call a protected web API.
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
string json = await client.GetStringAsync(url);
}
}
For more details, please refer to here.
Upvotes: 7
Related Questions
- AADSTS50012: Invalid client secret is provided when moving from a Test App to Production
- AADSTS70003: The app requested an unsupported grant type 'client_credential'
- Microsoft Graph REST API invalid client secret
- Microsoft Graph client error : Authentication challenge is required error
- SSL errors on graph.windows.net
- Microsoft Graph client error : Authentication challenge is required
- Microsoft Graph - WithCertificate - fails with "The provided certificate has a key that is not accessable."
- Graph API Client token authentication issue
- Client Credentials access token not working office 365
- Trouble with authorization using client_credentials Azure AD Graph API