Login/Register
Azure AD Microsoft Account Client is public so neither 'client_assertion' nor 'client_secret' should be presented
Asked Answered
.netazureazure-active-directoryrazor-pages
Q

2

9

I am having the following problem:

Exception: OAuth token endpoint failure: Status: Body: {"error":"invalid_client","error_description":"AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented}.

I am using the Microsoft.AspNetCore.Authentication.Microsoft Account library

Program file

builder.Services.AddAuthentication()
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
    options.LoginPath = "/page";
    options.LogoutPath = "/page";
    options.AccessDeniedPath = "/page?code={0}";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(tiempoDeSesion);
    options.Cookie.Name = ".CookieName.Sec";
    options.SlidingExpiration = true;
})
.AddMicrosoftAccount(microsoftOptions =>
{
    microsoftOptions.ClientId = builder.Configuration["AzureAd:ClientId"];
    microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];
    microsoftOptions.CallbackPath = new PathString("/signin-microsoft-token");
    microsoftOptions.AuthorizationEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize";
    microsoftOptions.TokenEndpoint = $"https://login.microsoftonline.com/{builder.Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token";
    microsoftOptions.Scope.Add("https://graph.microsoft.com/user.read");
    microsoftOptions.SaveTokens = true;
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Name, "displayName");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "givenName");
    microsoftOptions.ClaimActions.MapJsonKey(ClaimTypes.Surname, "surname");
    microsoftOptions.ClaimActions.MapCustomJson(ClaimTypes.Email,
                                   user => user.GetString("mail") ?? user.GetString("userPrincipalName"));
});
Quintan answered 18/9, 2022 at 21:23 Comment(2)
Maybe this could help: learn.microsoft.com/en-us/answers/questions/898979/…Panoply
Public clients are applications such as mobile applications and single page JavaScript applications that can't keep secrets confidential. From this document. Could you pls let us know the type of your application which is trying to integrate azure ad?Unopened
W
17

The error "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented" usually occurs if you are using Public Client Application and passing the client_secret to generate the access token.

You can verify whether your application is Public client or not like below:

enter image description here

Mobile and desktop applications are Public Client. If you want your Azure AD Application as public, then you can avoid giving client_secret parameter by excluding the below line in the code:

microsoftOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];

After excluding the client_secret, try generating the access token.

If you want your application as Confidential, then make sure to change your existing Azure AD Application/Create new Azure AD Application as WEB like below:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication -> Save

enter image description here

This configuration will make you Azure AD Application as confidential and you can pass client_secret to generate access token.

I tried to reproduce the same in my environment via Postman and got the access token successfully for Web application like below:

POST https://login.microsoftonline.com/TenantId/oauth2/v2.0/token

enter image description here

Please note that public applications are restricted, and they cannot pass any secrets.

Reference:

Public and confidential client apps (MSAL) - Microsoft Entra

Wisecrack answered 19/9, 2022 at 9:0 Comment(1)
@Paula-Code Just to add to that; sadly, the (Azure Portal) app-registration does not show/display a 'SPA' platform (/redirect URL) as being a 'Public client', so you also need to look at the 'spa' count too, and not just the "public client" count (in isolation). But the backend (although happy with a 'Web' platform) will let you know that it doesn't like a configured 'SPA' platform (configured against the app-registration in this particular situation), with that same error message - "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented."Uel
C
3

The previous answer didn't help, but the comments from @DennisVM-D2i and @Tiny Wang gave the exact answer. Posting it as a solution, hoping someone else will find it useful in the future.

  1. First check the application manifest and see if "allowPublicClient" is set to null / false.

     "allowPublicClient": false,

  2. Go to Authentication tab and make sure your redirect URI is added under "Web". For me I had the redirect URI for which I needed confidential client application under SPA and that gave me AADSTS700025 even though the application was not configured as a public client.

Check your redirect URI configuration

Cordeiro answered 28/5, 2024 at 12:31 Comment(1)
For me it was the option called "Allow public client flows". I had to deactivate it and now it worksPathfinder

© 2022 - 2025 — McMap. All rights reserved.