Getting Error: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

[ksaye]

When running this sample code, specifically the last line:

            static string clientId = "640a5db6-********2709c342";
            static string tenantId = "da5b399b********cd20717ce";
            static string adtInstanceUrl = "https://****adt.api.wcus.digitaltwins.azure.net";            
            var credentials = new InteractiveBrowserCredential(tenantId, clientId);
            DigitalTwinsClient client = new DigitalTwinsClient(new Uri(adtInstanceUrl), credentials);
            Console.WriteLine($"Service client created – ready to go");

            var typeList = new List<string>();
            string dtdl = File.ReadAllText("samplemodel.json");
            typeList.Add(dtdl);

            await client.CreateModelsAsync(typeList);

I get the following error message.

It would appear that we need something where we create and send client_secret, something like: https://github.com/Azure/azure-sdk-for-net/blob/Azure.DigitalTwins.Core_1.0.0-preview.3/sdk/digitaltwins/Azure.DigitalTwins.Core/samples/DigitalTwinsClientSample/Program.cs#L65

Azure.Identity.AuthenticationFailedException
  HResult=0x80131500
  Message=InteractiveBrowserCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 34861483-cb7d-4431-a685-c99670f38c00
Correlation ID: 350b929c-a13e-4965-beef-7501191030ea
Timestamp: 2020-08-24 19:14:56Z
  Source=Azure.Identity
  StackTrace:
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.InteractiveBrowserCredential.<GetTokenImplAsync>d__20.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable`1.ConfiguredValueTaskAwaiter.GetResult()
   at Azure.Identity.InteractiveBrowserCredential.<GetTokenAsync>d__18.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable`1.ConfiguredValueTaskAwaiter.GetResult()
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.<GetHeaderValueFromCredentialAsync>d__11.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Runtime.CompilerServices.ValueTaskAwaiter`1.GetResult()
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.<GetHeaderValueAsync>d__8.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Runtime.CompilerServices.ValueTaskAwaiter`1.GetResult()
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.<ProcessAsync>d__6.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable.ConfiguredValueTaskAwaiter.GetResult()
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.DigitalTwins.Core.DigitalTwinModelsRestClient.<AddAsync>d__0.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Azure.DigitalTwins.Core.DigitalTwinsClient.<CreateModelsAsync>d__41.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at ADTConsole.Program.<Main>d__3.MoveNext() in C:\Users\kevinsay\Desktop\ADTConsole\ADTConsole\Program.cs:line 27

  This exception was originally thrown at this call stack:
    [External Code]

Inner Exception 1:
MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 34861483-cb7d-4431-a685-c99670f38c00
Correlation ID: 350b929c-a13e-4965-beef-7501191030ea
Timestamp: 2020-08-24 19:14:56Z

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 5389e8ca-c178-1b35-5745-105638c647c6
• Version Independent ID: c0e2213c-aba0-24b9-4285-644ca1d39837
• Content: Code a client app - Azure Digital Twins
• Content Source: articles/digital-twins/tutorial-code.md
• Service: digital-twins
• GitHub Login: @baanders
• Microsoft Alias: baanders

[AshokPeddakotla-MSFT]

@ksaye Thanks for the feedback! We are currently investigating and will update you shortly.

[SatishBoddu-MSFT]

Hello @ksaye Thanks for reaching out to us!

• Did you see a browser window opened(triggered) when you run the sample code?

• Please verify the AAD application registration permissions in your Azure account and let us know if it is set like 'http://localhost' as a redirect URL & "Public client/native (mobile & desktop)". rather than 'Web'?

[SatishBoddu-MSFT]

Hello @ksaye I am able to repro the issue,

Reason: I am not using the right Authentication Platform for my AAD application.

Troubleshooting:
Below is the corrective action you may need to consider, On your AAD app's Athentication option -->Add platform-->choose the 'Mobile and Desktop application' this time and configure the 'Redirect URL' also as shown in the below images.

[AshokPeddakotla-MSFT]

@ksaye Does that answer your question? Do let us know if you are still blocked.
We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

[ksaye]

@AshokPeddakotla-MSFT Thanks, that did fix it. I think the following document need to be changed: https://docs.microsoft.com/en-us/azure/digital-twins/how-to-set-up-instance-portal, as it instructs to use the web authentication no the mobile / desktop.

[baanders]

Thank you, @ksaye! You are correct. Updating the instructions in this PR to the doc: #127805

[serverless-secure]

Migrate URIs to Single Page Application

[deepakkumarsharma2007]

Post migration from Angular 7 to 11
We received similar error, but from Angular App. And redirectUrl is registered as web in Authentication section of AAD App.
The problem is it works in localhost:8080

MSAL Log: [Tue, 27 Apr 2021 12:23:51 GMT] : : @azure/msal-browser@2.14.1 : Info - Emitting event: msal:handleRedirectStart
main-es2015.f147e7f539e3d0f3fc6a.js:1 MSAL Log: [Tue, 27 Apr 2021 12:23:51 GMT] : : @azure/msal-common@4.2.1 : Info - in acquireToken call
login.microsoftonline.com/41ff26dc-250f-4b13-8981-739be8610c21/oauth2/v2.0/token:1 Failed to load resource: the server responded with a status of 401 (Unauthorized)
main-es2015.f147e7f539e3d0f3fc6a.js:1 MSAL Log: [Tue, 27 Apr 2021 12:23:52 GMT] : : @azure/msal-browser@2.14.1 : Info - BrowserCacheManager.cleanRequestByInteractionType: Removing temporary cache items for state: eyJpZCI6IjBlOTI5NThkLWRjN2UtNGVjYi04NDNmLWU1MTdjNTBjNWE0YiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=
main-es2015.f147e7f539e3d0f3fc6a.js:1 MSAL Log: [Tue, 27 Apr 2021 12:23:52 GMT] : : @azure/msal-browser@2.14.1 : Info - Emitting event: msal:loginFailure
main-es2015.f147e7f539e3d0f3fc6a.js:1 2021-Apr-27 17:53:52,870 ERROR FDPClientLogger - msal:loginFailure{"eventType":"msal:loginFailure","interactionType":"redirect","payload":null,"error":{"errorCode":"invalid_client","errorMessage":"7000218 - [2021-04-27 12:23:52Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: de95dcbe-a5b7-46f8-9afd-192cd47a7a00\r\nCorrelation ID: 4fefa52a-fdbf-4e5e-a063-108b79a865dd\r\nTimestamp: 2021-04-27 12:23:52Z - Correlation ID: 4fefa52a-fdbf-4e5e-a063-108b79a865dd - Trace ID: de95dcbe-a5b7-46f8-9afd-192cd47a7a00","subError":"","name":"ServerError"},"timestamp":1619526232870}

BrowserConsoleAppender.append @ main-es2015.f147e7f539e3d0f3fc6a.js:1
main-es2015.f147e7f539e3d0f3fc6a.js:1 MSAL Log: [Tue, 27 Apr 2021 12:23:52 GMT] : : @azure/msal-browser@2.14.1 : Info - Emitting event: msal:handleRedirectEnd
main-es2015.f147e7f539e3d0f3fc6a.js:1 ServerError: invalid_client: 7000218 - [2021-04-27 12:23:52Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: de95dcbe-a5b7-46f8-9afd-192cd47a7a00
Correlation ID: 4fefa52a-fdbf-4e5e-a063-108b79a865dd
Timestamp: 2021-04-27 12:23:52Z - Correlation ID: 4fefa52a-fdbf-4e5e-a063-108b79a865dd - Trace ID: de95dcbe-a5b7-46f8-9afd-192cd47a7a00

[richard457]

Having the same issue here AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

[richard457]

using the ms-identity-javascript-react-spa example from documentation

[dontpanic003]

same for me, it doesn't work and asks for client_secret.
Interestingly it works well in the console app sample but when I move it to an app (literally copy/pasting, same credentials) it gives me this error.

[danhellem]

@elenalash what do you mean when you say you moved it to an app? What kind of app did you move it to?

[deepakkumarsharma2007]

I fixed mine when moved from redirect uri to SPA. https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-spa-implicit-to-auth-code Switch redirect URIs to SPA platform If you'd like to continue using your existing app registration for your applications, use the Azure portal to update the registration's redirect URIs to the SPA platform. Doing so enables the authorization code flow with PKCE and CORS support for apps that use the registration (you still need to update your application's code to MSAL.js v2.x). Follow these steps for app registrations that are currently configured with Web platform redirect URIs: 1. Sign in to the Azure portal <https://portal.azure.com/> and select your Azure Active Directory tenant. 2. In App registrations, select your application, and then Authentication. 3. In the Web platform tile under Redirect URIs, select the warning banner indicating that you should migrate your URIs.

…

On Fri, Jul 16, 2021 at 9:26 PM Dan Hellem ***@***.***> wrote: @elenalash <https://github.com/elenalash> what do you mean when you say you moved it to an app? What kind of app did you move it to? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#61446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUPI4M56T4MDMTMRBCL2ECDTYBJDPANCNFSM4QJ3GH7A> .

-- Regards, Deepak

[matthew1davis]

@deepakkumarsharma2007

I fixed mine when moved from redirect uri to SPA.

My code now throws a new error after changing from Web to SPA:

invalid_request
AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.
Trace ID: f383c812-0f5d-487f-b162-64c60ca17a00
Correlation ID: 641e9263-0445-4c0e-927f-902dced756a6
Timestamp: 2022-08-10 17:40:43Z
641e9263-0445-4c0e-927f-902dced756a6

The below previously accepted answer of switch the platform to Mobile and desktop applications did the trick for me.

Hello @ksaye I am able to repro the issue,

Reason: I am not using the right Authentication Platform for my AAD application.

Troubleshooting: Below is the corrective action you may need to consider, On your AAD app's Athentication option -->Add platform-->choose the 'Mobile and Desktop application' this time and configure the 'Redirect URL' also as shown in the below images.