Unable to authenticate using device login #14
Description
Hi
I am using an MSDN subscription linked to my companies Entra tenant. The app registeration has been created as per the documentation by my Entra admin team. I have added the client and tenantID and set the scopes as per the document.
{
"AppSettings": {
"...": "...",
"clientId": "<Your Application (Client) ID>",
"tenantId": "<Your Directory (Tenant) ID>",
"scope": "499b84ac-1321-427f-aa17-267ca6975798/.default"
}
}
(I tried setting the scopes section to my subscription ID but then the device login fails so assume I need to use the scopes as per the document) One other thing to note is that its a scopes section in the app settings.json and scope in the documentation. I have tried with both scopes and scope and get the same result.
When I then run the app and select device login and follow the instructions on the device login page I am able to successfully supply the device login code and my Entra ID details. Once I have supplied my Entra ID details and get the message on the web page that login successful and can close the page. At this point the exception below is thrown. Reviewing the doc suggested in the exception for 'invalid_client' it says "invalid_client Client authentication failed. The client credentials aren't valid. To fix, the Application Administrator updates the credentials."
What am I doing wrong?
Kind regards
David
Unhandled exception. MSAL.NetCore.4.66.2.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: b5f42a29-0a47-41b3-be4e-3d10e2707e00 Correlation ID: 6adc73b0-e342-45f7-b6cf-f739d6a8898a Timestamp: 2025-02-06 12:19:47Z
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func2 onBeforePostRequestData) at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger) at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger) at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.WaitForTokenResponseAsync(DeviceCodeResult deviceCodeResult, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.WaitForTokenResponseAsync(DeviceCodeResult deviceCodeResult, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenWithDeviceCodeParameters deviceCodeParameters, CancellationToken cancellationToken)
at ADOGenerator.Services.AuthService.AcquireTokenAsync(IPublicClientApplication app) in /Users/david.mcgrath/work/AzDevOpsDemoGenerator/src/ADOGenerator/Services/AuthService.cs:line 38
at Program.
at Program.(String[] args)
StatusCode: 401
ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: b5f42a29-0a47-41b3-be4e-3d10e2707e00 Correlation ID: 6adc73b0-e342-45f7-b6cf-f739d6a8898a Timestamp: 2025-02-06 12:19:47Z","error_codes":[7000218],"timestamp":"2025-02-06 12:19:47Z","trace_id":"b5f42a29-0a47-41b3-be4e-3d10e2707e00","correlation_id":"6adc73b0-e342-45f7-b6cf-f739d6a8898a","error_uri":"https://login.microsoftonline.com/error?code=7000218","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"e1e87097-b61d-4378-a1d8-77a0637bbafc\"]}}}"}
Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: 6adc73b0-e342-45f7-b6cf-f739d6a8898a
x-ms-request-id: b5f42a29-0a47-41b3-be4e-3d10e2707e00
x-ms-ests-server: 2.1.19962.7 - SEC ProdSlices
x-ms-clitelem: 1,7000218,0,,
x-ms-srs: 1.P
Content-Security-Policy-Report-Only: object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-n7ZfumvdSJ8zaXvCh_Cmfw' 'unsafe-inline' 'unsafe-eval' https://.msauth.net https://.msftauth.net https://.msftauthimages.net https://.msauthimages.net https://.msidentity.com https://.microsoftonline-p.com https://.microsoftazuread-sso.com https://.azureedge.net https://.outlook.com https://.office.com https://.office365.com https://.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All
X-XSS-Protection: 0
Set-Cookie: fpc=ApQRDSz7FSFAq5fniv3k7Yohkk7iAQAAALSfNt8OAAAAndB1TAEAAADjnzbfDgAAAA; expires=Sat, 08-Mar-2025 12:19:47 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; httponly