Get error: AADSTS70002 - request body missing client_secret or client_assertion

[rochitsen]

The following error comes up when following examples are run:

1. User credential
2. On behalf of user

When code is executed, user is asked to put username and password after which error comes up:

ERROR -- 4420c0e4-8101-4319-9d0e-8368a660f888: Parsed an ErrorResponse with error: invalid_client and error description: AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'. Trace ID: 63d3ea78-fbeb-4b36-8b97-e208adee0c00 Correlation ID: 4420c0e4-8101-4319-9d0e-8368a660f888 Timestamp: 2017-11-02 05:55:23Z.

[omarqureshi]

+1 here - why is this required for the user credentials flow?

[omarqureshi]

Right, I've done a bit of digging around this - the summary of my investigation is that Azure for ActiveDirectory REQUIRES a client secret to be set.

The problem with this is that ROPG should not be sending client secrets.

ADAL supports sending (though undocumented) a client secret with the rest of the credentials, however, this library (correctly) does not do this.

It would be better to state the REAL problem in that AAD does not correctly suppport ROPG

References:

• https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99
• https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99/files/0d993673346d142a84f0448aab0d7d8749fec945#r57519683

[omarqureshi]

In addition to the username and password sample not working, the on behalf of sample does not work as it also depends on using user credentials for the bearer token.