microsoft-authentication-library-for-go icon indicating copy to clipboard operation
microsoft-authentication-library-for-go copied to clipboard
verified publisher icon AzureAD

[Bug] Public Client AcquireTokenInteractive errors with requirement for client_assertion or client_secret

Open colinhuckstep opened this issue 1 year ago • 1 comments

Which version of MSAL Go are you using? Note that to get help, you need to run the latest version.

Where is the issue?

  • Public client
    • [ ] Device code flow
    • [ ] Username/Password (ROPC grant)
    • [ ] Authorization code flow
  • Confidential client
    • [ ] Authorization code flow
    • [ ] Client credentials:
      • [ ] client secret
      • [ ] client certificate
  • Token cache serialization
    • [ ] In-memory cache
  • Other (please describe) AcquireTokenInteractive

Is this a new or an existing app? Existing application we are trying to migrate from ADFS to EntraID.

What version of Go are you using (go version)?

go version go1.23.0 windows/amd64

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOHOSTARCH=amd64
set GOHOSTOS=windows

Repro

func getSAMLTokenFromEntraID(client *http.Client) (string, error) { scopes := []string{entra.MiddletierId + "/.default"} app, err := public.New(entra.Id, public.WithHTTPClient(client)) if err != nil { log.Errorf("Error creating EntraID Login App: %v", err) } authTokenResult, err := app.AcquireTokenInteractive(context.Background(), scopes, public.WithTenantID(entra.TenantId)) if err != nil { log.Fatalf("Error getting token: %v", err) } return authTokenResult.AccessToken, err }

Expected behavior An access token should be returned.

Actual behavior An error is thrown:

The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

These are not valid options for a public client.

Possible solution

Additional context / logs / screenshots FATAL: Error getting token: could not retrieve token from auth code: http call(https://login.microsoftonline.com/{{ tenant }}/oauth2/v2.0/token)(POST) error: reply status code was 401: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: {{ redacted }} Correlation ID: {{ redacted }} Timestamp: 2024-09-16 17:29:30Z","error_codes":[7000218],"timestamp":"2024-09-16 17:29:30Z","trace_id":"{{ redacted }}","correlation_id":"{{ redacted }}","error_uri":"https://login.microsoftonline.com/error?code=7000218"}

colinhuckstep avatar Sep 16 '24 17:09 colinhuckstep

I have encountered this issue as well. To resolve it, adjust your authentication settings. Navigate to Authentication > Advanced Settings (scroll down) and enable the option for Allow Public Client Flows. This should help you resolve the issue.

On top of that, just make sure the redirect uri is for Mobile & Apps and not for webs.

realjesset avatar May 29 '25 10:05 realjesset